Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection has caused issues with IE and internet connectivity and more


  • Please log in to reply
5 replies to this topic

#1 northend

northend

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 14 January 2010 - 01:22 PM

Hello,
I have an issue and I'm not sure which board to post it on so I thought I'd try here.
Somehow, my laptop (Vista OS) got infected yesterday. My first realization was when I pressed F7 to mute the audio, the onscreen display that normally pops up on screen, didn't. Then I noticed that it was sluggish so I ran Ccleaner and rebooted. When it came back up, MS Windows Defender, Adaware and Malwarebytes all discovered infections. I ran Windows Defender and Adaware separately and they both discoverd and removed infections. I then ran Malwarebytes and tried to check for updates but got an error message with Error code: 732(12029,0) and was not able to update it. So I ran it anyway and it found and removed issues. I then rebooted into safemode withe networking and ran it again and no more infections were discovered.

I launched Firefox and everything seemed fine. I then launched IE 8 and got "Internet Explorer cannot display the webpage". When I asked it to diagnose the problem, I got this:

"www.google.com" is not set up to establish a connection on port "World .
Wide Web service(HTTP)" with this computer. Verify the current proxy server configuration


But I'm not using a proxy server at all. I then tried launching Opera and it was the same as it was for IE 8...I was unable to connect to the internet. I have no idea why it's happening, I can still get online if I use Firefox, but IE8 and Opera are unusable. I tried uninstalling Opera and then reinstalling it, but I was still unable to connect to the internet. Also, while the Function keys appear to work, I no longer have any onscreen display like I used to.

Does anyone have any idea what the issue with my internet connection is? Any suggestion would be greatly appreciated.

Thanks,
Don


BC AdBot (Login to Remove)

 


#2 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 14 January 2010 - 11:47 PM

Check your proxy settings
In IE go to Tools -->Internet options -->click the connections tab -->Click lan settings
In the box that pops up make sure everything is unchecked!


Now, download Malwarebytes from http://malwarebytes.org/ update it and run a full scan. Remove any infections found and post the results in your next reply.

#3 northend

northend
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 15 January 2010 - 12:19 PM

Hi Trev,
Thanks for the quick settings info, I now can connect to the internet with IE and Opera again. But I still do not have the onscreen display of function keys, like volume, mute, brightness etc. I updated and ran malwarebytes, but it found no other issues. Any other suggestions?


#4 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 16 January 2010 - 12:23 AM

Can you post the log from malwarebytes when it detected infections? When you ran CCleaner, did you clean the registry? It sounds to me like you have a broken "hotkey" application, and that is why your buttons aren't working. That can be fixed by re-installing the app from the manufacturer.

I would really like to see your log to make sure that you are clean.

#5 northend

northend
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 16 January 2010 - 12:52 PM


I didn't clean the registry, I just ran Ccleaner. Here is the Malwarebytes log and the log for MS Windows Defender.

Malwarebytes:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18865

1/14/2010 1:47:28 AM
mbam-log-2010-01-14 (01-47-28).txt

Scan type: Quick Scan
Objects scanned: 97028
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgqsrirh (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Windows Defender Log:

Category:
Trojan:Win32/FakeSpypro

Description:
This program is dangerous and executes commands from an attacker.

Advice:
Remove this software immediately.

Resources:
process:
pid:3440

Category:
Trojan:Win32/FakeSpypro:Win32/FakeSpypro

Description:
This program is dangerous and executes commands from an attacker.

Advice:
Remove this software immediately.

Resources:
process:
pid:5056

Category:
Not Yet Classified

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
regkey:
HKCU@S-1-5-21-354730766-1906780065-4114048024-1000\Software\Microsoft\Windows\CurrentVersion\Run\\dgqsrirh

runkey:
HKCU@S-1-5-21-354730766-1906780065-4114048024-1000\Software\Microsoft\Windows\CurrentVersion\Run\\dgqsrirh

file:
C:\Users\inspiron\AppData\Local\dkykfi\dahssysguard.exe



Category:
Trojan:Win32/FakeSpypro

Description:
This program is dangerous and executes commands from an attacker.

Advice:
Remove this software immediately.

Resources:
process:
pid:5368




#6 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 16 January 2010 - 09:02 PM

Hi Don,
You are looking pretty good. To be certain let's do a few more scans.
Great directions from boopme for SAS and ATF cleaner
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner from http://www.atribune.org/index.php?option=c...5&Itemid=25
and then SUPERAntiSpyware, Free Home Version from http://www.superantispyware.com/?rid=3324 Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Next run a scan at http://www.eset.com/onlinescan/ and let me know if this finds anything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users