Internet no longer works (GTALK still works), This after trying to remove some malware Options

[mjcoury]

I had a fresh copy of Windows XP (patched to SP3) installed on my box and after trying to remove some unsavory malware (using SPYBOT, AVG, and MALWAREBYTES') I am no longer able to connect to web pages... I am however able to connect to GTALK - which leads me to believe something has blocked the ports related to normal http:// - I am on a laptop as we speaking connected to the same internet connection...


Any help would be great

Thanks,

Mike

[Budapest]

Log on as an administrator, go Start > Run and type: "cmd". In the window that appears type: "netsh winsock reset". When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." Close the command box and reboot your computer.

Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.

Go Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties. Double-click on the Internet Protocol (TCP/IP) item. Select the radio button that says "Obtain DNS servers automatically". Reboot. Warning: Some Internet Service Providers need specific DNS settings. You need to make sure that you know if such DNS settings are required before you make this change.

[mjcoury]

Tried -

I did everything as stated - with the reset after resetting the winsock and then flushing the DNS - Chat client (GTALK) still works - not able to find web pages...

interestingly I can ping google.com but cannot ping coke.com ....

Next Steps?

This post has been edited by mjcoury: Jul 1 2009, 06:32 PM

[Budapest]

Try these two fixes:

http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html

Also, if you have a router or modem you might want to reset it.

[mjcoury]

Still No Love....

tried both solutions as well as reset the modem and router (I am on the same router and modem with a laptop)

Thanks for your help BTW

Some additional information :

The initial reason for all the nonsense was malware of somekind had hijacked my computer so that any time I clicked on a link it would redirect my browser (either Chrom, Firefox, or IE) to some searchpage and it would use the word? or link as the search string.... I can't recall what website it was and my history of course has been blasted by the combination of spybot, avg, and malwarebyte's

Thanks

This post has been edited by mjcoury: Jul 1 2009, 06:51 PM

[Budapest]

Please download HostsXpert 4.2

• Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
• Double-click HostsXpert.exe to run the program.
• Click "Restore MS Hosts File".
• Click OK at the confirmation box.
• Click "Make Read Only".
• Click the X to exit the program.

-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

[mjcoury]

Sigh,

Still no go... any other ideas up your sleeve?

[Budapest]

Please print out and follow these instructions: "How to use SDFix". This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
• When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
• If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
• Please copy and paste the contents of Report.txt in your next reply.
• Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

[mjcoury]

SDFix: Version 1.240
Run by Michael on Thu 07/02/2009 at 08:08 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 08:14:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Steam\\steamapps\\qatar11\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\qatar11\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - spd\\DOW2.exe"="C:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - spd\\DOW2.exe:*:Enabled:Warhammer 40,000: Dawn of War II - Single-player Demo"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 24 Jun 2009 28,160 ...H. --- "C:\WINDOWS\ld10.exe"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 13 Jun 2009 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!

[garmanma]

I'm sorry, but you need to repost you log.

I have moved your Topic that included a HijackThis/DDS log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis/DDS logs analysis. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.

We understand that dealing with malware issues and getting help can be frustrating but improperly posting a log usually happens if you missed the directions we provide to those who require malware removal assistance. Prior to posting a log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system.

Please complete all the steps in the Guide. If you can't perform a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Prep Guide to post a new log.

Please do not post any more logs to this topic as it just a placeholder to be used to help you post the information in the proper way and in the proper forum. Going forward, HijackThis logs should only be posted in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal in order to make it easier for our helpers to respond to your topic

The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for.

When your new DDS/HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.

Thanks for your cooperation and good luck.
The BC Staff

[mjcoury]

Please find the thread here:

http://www.bleepingcomputer.com/forums/topic238159.html

This is not a simple Hijack issues as I feel immediate problem is that the web pages do not load but GTALK does work and I can ping google.com but not other sites (i.e coke.com)

I'm guessing the moving of the post is automated


-Mike

[boopme]

Hello pleas follow steps 6 and 7 here to post the logs nneded..

http://www.bleepingcomputer.com/forums/topic34773.html

[mjcoury]

I appreciate your help in this matter but one look at the thread that I linked to contains ALL of the logs required. The fact that I attached these logs forced me to re-start my thread as a bot incorrectly moved my thread - so please look at the attached thread in my initial post,

Thanks

[boopme]

Hello I have merged your posts together here. I have split away and created a new Topic for your HJT/DDS log. It is here.

http://www.bleepingcomputer.com/forums/ind...p;#entry1323452

It is titled
malware of somekind had hijacked my computer,
Split away by boopme from AII topic

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.