Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsock catalog problems


  • Please log in to reply
No replies to this topic

#1 Troy C.

Troy C.

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 05 February 2009 - 08:53 PM

Hi-
My first post, but I've pored through the forum for a while now. I'm investigating a winsock error/no internet connectivity problem on a friend's PC. I don't think there is any active malware on this PC (correct me if I'm wrong, obviously).

So here's the latest HijackThis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:04 PM, on 2/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Dawn\Application Data\U3\0D90318090412A08\LaunchPad.exe
F:\Dave's computer fix\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {103702DF-7CB1-427F-A7B7-4C2775E4FD5B} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {8BFB94D0-2848-4735-BD85-87F9D522F072} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {9CCAAEA2-22C0-4BA3-A9E4-6B3E6B66B9D1} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - https://chat.microsoft.upgrade.com/netagent...ects/emagic.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://comcast.oberon-media.com/online2/lu...mjolauncher.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/Tru...erizonYahoo.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4438 bytes


And the combofix log:

ComboFix 09-02-05.01 - Dawn 2009-02-05 20:23:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.285 [GMT -5:00]
Running from: f:\dave's computer fix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\_000123_.tmp.dll
c:\windows\system32\_000137_.tmp.dll
c:\windows\system32\_000140_.tmp.dll
c:\windows\system32\_000143_.tmp.dll
c:\windows\system32\_000147_.tmp.dll
c:\windows\system32\_000150_.tmp.dll
c:\windows\system32\_000161_.tmp.dll
c:\windows\system32\_000163_.tmp.dll
c:\windows\system32\_002949_.tmp.dll
c:\windows\system32\_002950_.tmp.dll
c:\windows\system32\_002951_.tmp.dll
c:\windows\system32\_002952_.tmp.dll
c:\windows\system32\_002959_.tmp.dll
c:\windows\system32\_002960_.tmp.dll
c:\windows\system32\_002961_.tmp.dll
c:\windows\system32\_002962_.tmp.dll
c:\windows\system32\_002964_.tmp.dll
c:\windows\system32\_002965_.tmp.dll
c:\windows\system32\_002968_.tmp.dll
c:\windows\system32\_002969_.tmp.dll
c:\windows\system32\_002971_.tmp.dll
c:\windows\system32\_002972_.tmp.dll
c:\windows\system32\_002973_.tmp.dll
c:\windows\system32\_002975_.tmp.dll
c:\windows\system32\_002978_.tmp.dll
c:\windows\system32\_002979_.tmp.dll
c:\windows\system32\_002983_.tmp.dll
c:\windows\system32\_002984_.tmp.dll
c:\windows\system32\_002986_.tmp.dll
c:\windows\system32\_002989_.tmp.dll
c:\windows\system32\_002991_.tmp.dll
c:\windows\system32\_002992_.tmp.dll
c:\windows\system32\_002993_.tmp.dll
c:\windows\system32\_002994_.tmp.dll
c:\windows\system32\_002995_.tmp.dll
c:\windows\system32\_002998_.tmp.dll
c:\windows\system32\_002999_.tmp.dll
c:\windows\system32\_003000_.tmp.dll
c:\windows\system32\_003001_.tmp.dll
c:\windows\system32\_003002_.tmp.dll
c:\windows\system32\_003007_.tmp.dll
c:\windows\system32\_003009_.tmp.dll
c:\windows\system32\_003010_.tmp.dll
F:\AUTORUN.INF

.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-05 19:06 . 2009-02-05 19:06 <DIR> d-------- C:\SYSTEM.SAV
2009-02-05 18:44 . 2005-10-19 17:39 161,424 --a------ c:\windows\SYSTEM32\SymRedir.dll
2009-02-05 18:44 . 2005-10-19 17:06 1,133 --a------ c:\windows\SYSTEM32\SymRedir.inf
2009-02-05 18:43 . 2005-10-19 17:06 20 --a------ c:\windows\SYSTEM32\SymRedir.cat
2009-02-05 18:42 . 2009-02-05 20:20 <DIR> d-------- c:\documents and settings\Dawn\Application Data\U3
2009-01-28 13:07 . 2009-01-28 13:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-28 12:26 . 2009-01-28 12:26 <DIR> d-------- c:\documents and settings\Dawn\Application Data\Webroot
2009-01-28 12:25 . 2009-01-28 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Geek Squad
2009-01-27 18:45 . 2009-01-27 18:45 65 --a------ c:\windows\boc427.ini
2009-01-27 06:17 . 2009-01-27 06:17 249,592 --a------ c:\windows\SYSTEM32\cssdll32.dll
2009-01-27 06:12 . 2009-01-27 06:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2009-01-27 06:12 . 2009-01-27 06:12 147,192 --a------ c:\windows\SYSTEM32\guard32.dll
2009-01-27 06:12 . 2009-01-27 06:12 101,776 --a------ c:\windows\SYSTEM32\DRIVERS\cmdguard.sys
2009-01-27 06:12 . 2009-01-27 06:12 31,504 --a------ c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys
2009-01-27 06:11 . 2009-01-27 19:01 <DIR> d-------- c:\program files\Comodo
2009-01-27 06:11 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL
2009-01-27 06:11 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE
2009-01-27 06:11 . 2004-08-04 05:00 22,528 --a------ c:\windows\SYSTEM32\wsock32.dlb
2009-01-26 18:17 . 2009-01-27 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-26 17:36 . 2009-01-26 17:38 <DIR> d-------- c:\documents and settings\Dawn\Application Data\Yahoo!
2009-01-25 19:28 . 2009-01-25 19:28 73 --a------ c:\windows\st_affiliate.ini
2009-01-24 21:05 . 2009-01-27 17:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 20:51 . 2009-01-24 20:51 <DIR> d-------- c:\documents and settings\Dawn\Application Data\Malwarebytes
2009-01-24 20:51 . 2009-01-24 20:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-24 20:38 . 2009-01-25 15:12 725 --a------ c:\windows\win.tmp
2009-01-24 20:38 . 2006-05-19 16:49 231 --a------ c:\windows\system.tmp
2009-01-24 20:28 . 2009-01-24 20:28 <DIR> d-------- c:\documents and settings\Dawn\Application Data\Motive
2009-01-24 20:22 . 2009-01-24 20:22 0 --a------ C:\~GLHTTP1.TMP
2009-01-24 20:19 . 2009-01-24 20:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2009-01-24 20:18 . 2009-01-24 20:19 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-24 20:18 . 2009-01-25 06:55 <DIR> d-------- c:\documents and settings\Dawn\Application Data\SpywareStop
2009-01-24 19:43 . 2009-01-27 07:54 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-24 19:37 . 2009-01-24 19:43 63 --a------ c:\windows\SYSTEM\SysSD.dll
2009-01-24 16:26 . 2009-01-24 16:26 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-24 16:23 . 2009-01-24 16:24 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-21 20:49 . 2009-01-24 19:06 <DIR> d-------- c:\program files\NOS
2009-01-21 20:49 . 2009-01-24 19:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-14 16:31 . 2009-01-14 16:31 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-14 13:16 . 2008-10-16 14:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-01-14 13:16 . 2008-10-16 14:06 208,744 --a------ c:\windows\SYSTEM32\muweb.dll
2009-01-14 13:16 . 2008-10-16 14:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-01-13 19:46 . 2009-01-13 19:46 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-12 19:28 . 2009-01-13 22:16 <DIR> d-------- c:\documents and settings\Dawn\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 18:08 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-27 23:44 --------- d-----w c:\program files\Comcast Play Games
2009-01-27 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-27 13:01 --------- d-----w c:\program files\Support.com
2009-01-27 11:21 --------- d-----w c:\program files\LimeWire
2009-01-27 10:35 --------- d-----w c:\program files\verizon
2009-01-26 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-26 22:37 --------- d-----w c:\program files\Yahoo!
2009-01-26 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-24 20:18 --------- d-----w c:\program files\Java
2009-01-18 02:06 --------- d-----w c:\program files\Microsoft Works
2009-01-06 12:05 --------- d-----w c:\program files\Hewlett-Packard
2009-01-05 16:53 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-12-30 02:11 --------- d-----w c:\program files\Best Buy Games
2008-12-30 02:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-30 02:10 --------- d-----w c:\documents and settings\Dawn\Application Data\Microsoft Games
2008-12-30 02:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Games
2008-12-30 02:05 --------- d-----w c:\program files\Hasbro Interactive
2008-12-29 17:05 --------- d--h--w c:\documents and settings\Dawn\Application Data\Gtek
2008-12-29 16:33 --------- d-----w c:\program files\DellSupport
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2006-12-30 14:57 774,144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-04 05:00 15360 c:\windows\SYSTEM32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"NetSvc"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"cmdAgent"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [2009-01-27 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [2009-01-27 31504]
S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S4 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27784b28-ed66-11dd-baf7-0013205d6905}]
\Shell\AutoRun\command - E:\load.bat
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net
mStart Page = hxxp://www.comcast.net
uInternet Connection Wizard,ShellNext = iexplore
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k42037/sb02b.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 20:30:53
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-05 20:34:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 01:34:38

Pre-Run: 59,404,111,872 bytes free
Post-Run: 59,390,607,360 bytes free

189 --- E O F --- 2009-02-05 23:11:49


Thanks in advance.

-troy

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users