Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown virus/hijack


  • Please log in to reply
21 replies to this topic

#1 DonohoFlnkr

DonohoFlnkr

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 21 April 2009 - 07:33 PM

I'm running XP. Last thursday, my PC began experiencing a myriad of problems:

- Website hijacking
- memory and HDD slowdown

When I attempted to run SuperAntiSpyware, it would not run. I was able to start it up with the alternate start, but it only found a handful of tracking cookies.
I then attempted to run MalwareBytes AntiMalware and it would not load. I've attempted several re-installs, but it will not load.

Over the weekend 2 days ago, it began showing DNS errors and now I am unable to log on to my network unless I am in safemode. I attempted to run a MS restore, for dates up to a month ago, but like the MBAM, it will not load/run/restart the computer.

I have a HJT log that I ran earlier today, and am out of options now. I was able to remove a Vundo and a variant of it a couple of months ago, but I am clueless with this one.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:11 AM

Posted 21 April 2009 - 08:21 PM

You may have to download this program to another computer and transfer it to your computer via flash drive.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#3 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 21 April 2009 - 10:12 PM

Okay, this is the report. It was run in SafeMode if that makes any difference.


ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/21 22:47
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6F1A000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B16000 Size: 8192 File Visible: No
Status: -

Name: gxvxcaycklflniiqkdlmvmrthvofkpbesmbqs.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcaycklflniiqkdlmvmrthvofkpbesmbqs.sys
Address: 0xF71B9000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6688000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\gxvxccounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gxvxcjksfpedaqasvmknvovlsjsxxnwuqjlma.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcaycklflniiqkdlmvmrthvofkpbesmbqs.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Temp\etilqs_HulbHbDfHfMT3dLG5wDE
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Michael\Local Settings\Temp\Setup Log 2009-03-07 #001.txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Temp\TMP2B.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Temp\SSUPDATE.EXE
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\temp0.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\temp1.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF6454.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF688F.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF6C87.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF7001.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF74BE.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF7666.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF775D.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF7926.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF7B8B.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF7E3B.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF7F26.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF7F56.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF84E6.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF858F.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF85B4.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF8949.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF8F1C.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF8FBE.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF91C5.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\~DF9803.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Status: Allocation size mismatch (API: 143360, Raw: 139264)

Path: C:\Documents and Settings\Michael\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\My Documents\The Movies\vw\3\Ultimate Collection of Dating Books Ver. 2.0 - David Deangelo and Others\HTML Links\The Don Juan Bible- Hints, tips and articles on the art of seduction, romance, dating and courting (DJB, DJ).webloc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\My Documents\The Movies\vw\3\Ultimate Collection of Dating Books Ver. 2.0 - David Deangelo and Others\PDFs\David DeAngelo Ebook Collection\David DeAngelo - Double Your Dating - Sexual Communication - Series Notes - Summary.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\My Documents\The Movies\vw\3\Ultimate Collection of Dating Books Ver. 2.0 - David Deangelo and Others\PDFs\David DeAngelo Ebook Collection\David DeAngelo - Interviews with Dating Gurus - The Stephen Interview Special Report.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\My Documents\My Games\my nintendo\Complete Set [NES] ENGLISH Verision Roms by Maharashi\Complete Set [NES] ENGLISH Verision ROMS\Mario Roms\The Frank Series\Frank's Second Ultimate Super Mario Bros Nasy Version (SMB1 Hack).zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\My Documents\My Games\my nintendo\Complete Set [NES] ENGLISH Verision Roms by Maharashi\Complete Set [NES] ENGLISH Verision ROMS\Mario Roms\The Frank Series\Frank's Second Ultimate Super Mario Bros Normal Version (SMB1 Hack).zip
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcaycklflniiqkdlmvmrthvofkpbesmbqs.sys

#4 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 22 April 2009 - 12:53 AM

Okay.
MBAM still would not run, so I deleted the gxvx... . sys file as the link suggested.
Rebooted, XP automatically ran Chkdsk as the disk was dirty.
In normal mode, attempted to run MBAM, still no dice. Ran RootRepeal and received the following message/crash report


ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x010dc004


Also, still unable to log onto IE or FireFox in safe mode, but can get to that later.
Right now, re-running RootRepeal in Safe mode to find other possible files to delete.

???
The odd ball characters in that 1st report? Is it safe to assume that those should be deleted/wiped with RootRepeal, as well?

#5 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 22 April 2009 - 01:08 AM

Re-ran RootRepeal:

New Report:

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6F2D000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B0C000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6793000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Michael\Local Settings\Temp\etilqs_ncIsVlk4LmLO4FITI6bB
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Michael\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\a3s4ct5q.default\places.sqlite-journal
Status: Size mismatch (API: 78488, Raw: 49760)

Path: C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\a3s4ct5q.default\sessionstore.js
Status: Size mismatch (API: 11229, Raw: 8882)

Path: C:\Documents and Settings\Michael\My Documents\My Games\my nintendo\Complete Set [NES] ENGLISH Verision Roms by Maharashi\Complete Set [NES] ENGLISH Verision ROMS\Mario Roms\The Frank Series\Frank's Second Ultimate Super Mario Bros Nasy Version (SMB1 Hack).zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\My Documents\My Games\my nintendo\Complete Set [NES] ENGLISH Verision Roms by Maharashi\Complete Set [NES] ENGLISH Verision ROMS\Mario Roms\The Frank Series\Frank's Second Ultimate Super Mario Bros Normal Version (SMB1 Hack).zip
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcaycklflniiqkdlmvmrthvofkpbesmbqs.sys

Service Name: MBAMSwissArmy
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys



Is it safe to wipe all of these files?

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:11 AM

Posted 22 April 2009 - 02:24 PM

No... you need to keep some.

Path: C:\Documents and Settings\Michael\Local Settings\Temp\etilqs_ncIsVlk4LmLO4FITI6bB - seem to be related to Firefox. I have seen many who have questioned etilqs_"character string". This looks like an ok entry.

Path: C:\Documents and Settings\Michael\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ - These look like part of an installed program.

SecuROM is a CD/DVD copy protection product, most often used for computer games running under Microsoft Windows, developed by Sony DADC

Source : http://en.wikipedia.org/wiki/SecuROM

Path: C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\a3s4ct5q.default\places.sqlite-journal
SQLite listings. I have sqlite on my work computer.

Path: C:\Documents and Settings\Michael\My Documents\My Games\my nintendo\Complete Set [NES] ENGLISH Verision Roms by Maharashi\Complete Set [NES] ENGLISH Verision ROMS\Mario Roms\The Frank Series\Frank's Second Ultimate Super Mario Bros Nasy Version (SMB1 Hack).zip
These look like hacks - a good way to get infection.


Please update and rerun malwarebytes in Full Mode. Post the fresh log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#7 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 22 April 2009 - 07:00 PM

Okay Full mode MBAM (had to use random name changer)

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/22/2009 6:38:30 PM
mbam-log-2009-04-22 (18-38-30).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 241102
Time elapsed: 1 hour(s), 9 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Angle Interactive\RD Platinum v5.0 (Rogue.RegistryDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Angle Interactive\RD Platinum v5.0\report.csv (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\RECYCLER\S-5-3-83-100008306-100016463-100028844-2226.com (Trojan.Agent) -> Quarantined and deleted successfully.

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:11 AM

Posted 22 April 2009 - 08:08 PM

Since you had DNSChanger noted as one of your infections, I would recommend changing your wireless router's password.

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#9 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 22 April 2009 - 10:01 PM

Since you had DNSChanger noted as one of your infections, I would recommend changing your wireless router's password.



Okay, stupid question, but how do I do this.
Do I need to be in Normal mode and use Control Panel > Network Connections > (options on left hand side)?

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:11 AM

Posted 23 April 2009 - 07:36 AM

That depends on your router.

I use my browser and enter the ip address of the router - mainly 192.168.0.0 192.168.0.1 192.168.1.1
Usually one of those addresses will let you into the router interface. Default user is admin with no password.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#11 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 23 April 2009 - 08:38 AM

That depends on your router.

I use my browser and enter the ip address of the router - mainly 192.168.0.0 192.168.0.1 192.168.1.1
Usually one of those addresses will let you into the router interface. Default user is admin with no password.


I just tried this at your suggestion and either the user name(s)or the password is not working. I know the password I set up for the router, but it's not taking that.

I ran ATF. Selected ALL for both Main Menu and Firefox.
Ran SAS- everything was clean


http://www.superantispyware.com

Generated 04/23/2009 at 00:55 AM

Application Version : 4.26.1000

Core Rules Database Version : 3852
Trace Rules Database Version: 1805

Scan type : Complete Scan
Total Scan Time : 01:23:24

Memory items scanned : 293
Memory threats detected : 0
Registry items scanned : 6237
Registry threats detected : 0
File items scanned : 94736
File threats detected : 0
------------------------------------------

Here is what I get when I run the MS IE Connection Diag in normal mode

Last diagnostic run time: 04/22/09 19:14:24 DNS Client Diagnostic
DNS - Not a home user scenario

info Using Web Proxy: no
info Resolving name ok for (www.microsoft.com): no
No DNS servers

DNS failure

info Query [www.microsoft.com] against DNS Server 10.0.0.1, (Type = 0x1, Options = 0x10e8) returns 0x5b4
action Automated repair: Renew IP address
action Releasing the current IP address...
action Successfully released the current IP address
action Renewing the IP address...
action Successfully renewed the current IP address
info Query [www.microsoft.com] against DNS Server 10.0.0.1, (Type = 0x1, Options = 0x10e8) returns 0x5b4
info Redirecting user to support call



Gateway Diagnostic
Gateway

info The following proxy configuration is being used by IE: Automatically Detect Settings:Enabled Automatic Configuration Script: Proxy Server: Proxy Bypass list:
info Could not get proxy settings via the Automatic Proxy Configuration mechanism
info This computer has the following default gateway entry(ies): 10.0.0.1
info This computer has the following IP address(es): 10.0.0.2
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
warn Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue
action Automated repair: Renew IP address
action Releasing the current IP address...
action Successfully released the current IP address
action Renewing the IP address...
action Successfully renewed the current IP address
info This computer has the following default gateway entry(ies): 10.0.0.1
info This computer has the following IP address(es): 10.0.0.2
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
warn Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue
action Automated repair: Reset network connection
action Disabling the network adapter
action Enabling the network adapter
info Network adapter successfully enabled
info This computer has the following default gateway entry(ies): 10.0.0.1
info This computer has the following IP address(es): 10.0.0.2
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
warn Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue
action Manual repair: Reboot modem
info This computer has the following default gateway entry(ies): 10.0.0.1
info This computer has the following IP address(es): 10.0.0.2
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
warn Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue
info Waiting some time for the modem/router to stabilize
action Automated repair: Renew IP address
action Releasing the current IP address...
action Successfully released the current IP address
action Renewing the IP address...
action Successfully renewed the current IP address
info This computer has the following default gateway entry(ies): 10.0.0.1
info This computer has the following IP address(es): 10.0.0.2
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
warn Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue



IP Layer Diagnostic
Corrupted IP routing table

info The default route is valid
info The loopback route is valid
info The local host route is valid
info The local subnet route is valid
Invalid ARP cache entries

action The ARP cache has been flushed



IP Configuration Diagnostic
Invalid IP address

info Valid IP address detected: 10.0.0.2



Wireless Diagnostic
Wireless - Service disabled

Wireless - User SSID

Wireless - First time setup

Wireless - Radio off

Wireless - Out of range

Wireless - Hardware issue

Wireless - Novice user

Wireless - Ad-hoc network

Wireless - Less preferred

Wireless - 802.1x enabled

Wireless - Configuration mismatch

Wireless - Low SNR




WinSock Diagnostic
WinSock status

info All base service provider entries are present in the Winsock catalog.
info The Winsock Service provider chains are valid.
info Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.
info Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.
info Provider entry RSVP UDP Service Provider passed the loopback communication test.
info Provider entry RSVP TCP Service Provider passed the loopback communication test.
info Connectivity is valid for all Winsock service providers.



Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=Intel® PRO/100 VE Network Connection, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=My ISP, Device=WAN Miniport (PPPOE), MediaType=PPPOE, SubMediaType=NONE
info Network connection: Name=Incoming Connections, Device=(null), MediaType=NONE, SubMediaType=NONE
info Ethernet connection selected
Network adapter status

info Network connection status: Connected



HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.

Edited by DonohoFlnkr, 23 April 2009 - 08:51 AM.


#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:11 AM

Posted 23 April 2009 - 11:27 AM

Next steps... I would recommend printing these instructions out because they are detailed and lengthy.

1)Please download SmitfraudFix

Disconnect your computer from the internet by unplugging your network cable from your router.
Double-click SmitfraudFix.exe
Select #5 Search and clean DNS Hijack
Please reboot your computer, reconnect your router, and then post the report found at the root of the system drive, usually at C:\rapport.txt
==========================================
2) Let's manually reset your DNS.

Open Network Connections by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.

Right-click the connection that you want to change, and then click Properties. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

To obtain a DNS server address automatically, click Obtain DNS server address automatically, and then click OK.
==========================================
3) Click Start - Run. The Run dialog box will open.
Type cmd in the box and click Enter. A DOS window will open.
Type ipconfig /flushdns <=Note the spacing
Reboot your computer!


Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#13 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 23 April 2009 - 12:59 PM

Thanks. I'll try this now.

Results:

SmitFraudFix v2.412

Scan done at 13:53:15.45, Thu 04/23/2009
Run from C:\Documents and Settings\Michael\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{98923AF6-4271-44CD-B789-A57B569EF962}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{98923AF6-4271-44CD-B789-A57B569EF962}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{98923AF6-4271-44CD-B789-A57B569EF962}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{98923AF6-4271-44CD-B789-A57B569EF962}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{98923AF6-4271-44CD-B789-A57B569EF962}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{98923AF6-4271-44CD-B789-A57B569EF962}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1

#14 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:11 AM

Posted 23 April 2009 - 03:14 PM

Ok... Please update and rerun Malwarebytes - full mode. Post its fresh log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#15 DonohoFlnkr

DonohoFlnkr
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 23 April 2009 - 11:24 PM

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/23/2009 11:48:30 PM
mbam-log-2009-04-23 (23-48-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221371
Time elapsed: 1 hour(s), 38 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users