Spyware removal damaged browsing
mtrox
Minnesota
AFter removing a mountain of SpyWare (P-Gate, some CW, the usual suspects) from a client's notebook, he can browse for the first 10 minutes after a re-boot, then he can't get anywhere. I can ping addresses, I can ping URL's, but can't browse. Installed Firefox for him, same EXACT symtoms.
One of the Microsoft MVP's on a discussion group gave me some advice about how removing spyware can damage winsock. Here's what he sent me:
You guys seen this often? I can't keep going back to this guy with new ideas. He's not a guy who understands the computer world.
One of the Microsoft MVP's on a discussion group gave me some advice about how removing spyware can damage winsock. Here's what he sent me:
Removing malware can damage Winsock files. Run the appropriate Winsock
repair tool for your version of Windows.
LSPFix- all versions of Windows http://www.cexx.org/lspfix.zip
Winsock2 Fix- Win98, ME
http://www.bu.edu/pcsc/internetaccess/winsock2fix.html
WinsockXP Fix- WinXP http://www.spychecker.com/program/winsockxpfix.html
Also, with instructions, at http://www.iup.edu/house/resnet/winfix.shtm
repair tool for your version of Windows.
LSPFix- all versions of Windows http://www.cexx.org/lspfix.zip
Winsock2 Fix- Win98, ME
http://www.bu.edu/pcsc/internetaccess/winsock2fix.html
WinsockXP Fix- WinXP http://www.spychecker.com/program/winsockxpfix.html
Also, with instructions, at http://www.iup.edu/house/resnet/winfix.shtm
You guys seen this often? I can't keep going back to this guy with new ideas. He's not a guy who understands the computer world.
0
Comments
So here's what I've done.
CWShredder...removed a file, now clean
AdAware several times...now clean
SpyBot...clean
AboutBuster...clean
WinsockxpFix.exe
LSPFix.exe
Still loose browsing capabilities after 10 minutes, although I can still ping addresses and URL's. Tried Firefox...no help, same exact symptom.
Here's what's left on the HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 10:45:24 AM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [CQC3INST] cqc3instnt -r
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
You can find the latest version (1.98.2) in our security downloads page. Please post a log with that version...
Well, client's out of town with the computer right now. I do have the newer version but didn't check to make sure I was using that on his machine. I tend to make a HJT folder on a sick machine and keep all my spyware removal tools there...ran HJT without checking to see if it's the latest.
Thanks for the help!