Options
Not able to connect - HiJack Log: S.O.S!
Hi, I'm trying to help a friend since a couple of days.
The problem was: laptop extremely slow and not able to go on line anymore.
From what I've seen it was badly infected and the girl messed it up trying to install and later remove antivirus and such things.
I think I've removed most of infections (using several tools), the computer is more responsive and faster, but still not going on line even if it gets the IP assigned properly (all the tcp and dns settings are correct), and from the command prompt I'm able to ping fine (I've tried to ping my router, to ping external sites like www.yahoo.com and everything is fine). Ipconfig shows everything as it should, my dns, etc.
So I'm sure that there's something evil that is still acting when the browser tries to connect (I get the classic blank error page like there would be no network connection).
As per your instructions, I've run (or re-run) ATF, AdAware, Spybot S&D, SpywareBlaster today (using a manual file definition update where possible, like for AdAware).
Adaware found no problems, Spybot found these three red problems (I told it to fix it):
Microsoft.WindowsSecurityCenter.AntivirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntivirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.UpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdateDisableNotify!=dword:0
SpywareBlaster found no problems.
Then I download Kaspersky too (yesterday I used Panda then unistalled it).
It found two files:
AdWare.Win32.Sidesearch
AdWare.Win32.00/Guard.a
I deleted them.
Then I closed everything else and ran HiJackThis.
This is its log:
Logfile of HijackThis v1.99.1
Scan saved at 2:33:47 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NTMETER.EXE
C:\Smdata\ReadSctService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
F:\Antivirus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ???
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3E6E873F-9712-4506-AC32-EEAAB08370B0} (NEC Content Update) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143855600571
O16 - DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} (MidRadioCtrl Class) - http://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinst.cab&ptx=mratdl
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://172.21.244.10:8080/registration/CAT/CNICAT.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXE
O23 - Service: ReadSector (ReadSctService) - Unknown owner - C:\Smdata\ReadSctService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
Please let me know, I'm exhausted after these two days :-(
Thanks :-)
The problem was: laptop extremely slow and not able to go on line anymore.
From what I've seen it was badly infected and the girl messed it up trying to install and later remove antivirus and such things.
I think I've removed most of infections (using several tools), the computer is more responsive and faster, but still not going on line even if it gets the IP assigned properly (all the tcp and dns settings are correct), and from the command prompt I'm able to ping fine (I've tried to ping my router, to ping external sites like www.yahoo.com and everything is fine). Ipconfig shows everything as it should, my dns, etc.
So I'm sure that there's something evil that is still acting when the browser tries to connect (I get the classic blank error page like there would be no network connection).
As per your instructions, I've run (or re-run) ATF, AdAware, Spybot S&D, SpywareBlaster today (using a manual file definition update where possible, like for AdAware).
Adaware found no problems, Spybot found these three red problems (I told it to fix it):
Microsoft.WindowsSecurityCenter.AntivirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntivirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.UpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdateDisableNotify!=dword:0
SpywareBlaster found no problems.
Then I download Kaspersky too (yesterday I used Panda then unistalled it).
It found two files:
AdWare.Win32.Sidesearch
AdWare.Win32.00/Guard.a
I deleted them.
Then I closed everything else and ran HiJackThis.
This is its log:
Logfile of HijackThis v1.99.1
Scan saved at 2:33:47 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NTMETER.EXE
C:\Smdata\ReadSctService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
F:\Antivirus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ???
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3E6E873F-9712-4506-AC32-EEAAB08370B0} (NEC Content Update) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143855600571
O16 - DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} (MidRadioCtrl Class) - http://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinst.cab&ptx=mratdl
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://172.21.244.10:8080/registration/CAT/CNICAT.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXE
O23 - Service: ReadSector (ReadSctService) - Unknown owner - C:\Smdata\ReadSctService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
Please let me know, I'm exhausted after these two days :-(
Thanks :-)
0
Comments
Since I've read about it in another thread, I just downloaded and ran WinsockFix, but it did not fix my connection issue and besides that something has changed (dunno if it's because of this program).
The ip and the other values are still assigned properly (opening the little connection icon in the windows tray on the right of the screen) but if try to do some pings from the command prompt, they go in time out (while this morning they were working fine, as told in my previous message).
Ipconfig/all results seem ok, like this morning. Here they are...
Hostname: computername
Primary DNS Suffix: (THIS IS BLANK, dunno if it's expected)
Node Type: Hybrid
IpRouting Enabled: No
WinsProxy Enabled: No
Then....
Description: Realtek etc. etc.
Physical address: 00-30-13-E5-73-D3
Dhcp enabled: Yes
Autoconfiguration Enabled: Yes
IP Address: 192.168.1.2
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
Dhcp server: 192.168.1.1
DNS Servers: 208.67.222.222 - 208.67.220.220 (these are correct, they are the OPEN DNS values I use in my router)
Last thing: of course, when I say here I download something, I do it from other computers in my network, since this laptop can't.
Thanks, hope someone can help :-)