Jump to content


Photo

unable to access web sites after spyware cleanup


  • Please log in to reply
7 replies to this topic

#1 john_guerra

john_guerra

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 04 June 2004 - 12:20 PM

i am working on a PC that belongs to a co-workers 16 year old son. As you can imagine, there was a ton of nasty stuff on it. I have cleaned most of it up with Ad-Aware, Spybot S&D, NAX and manually, but I have run into a problem. I cannot get it to let me browse the web. It's not just an IE problem either. I d/l'd mozilla and get the same results. It resolves DNS correctly as I can see the results in the status bar at the bottom. I can ping websites succesfully and AIM even starts and logs in so I know the connectivity is there. I can't even connect to internal intranet pages on my network by name or ip address.

Does this sound like a familiar sympton of any particular spyware to anyone? Or is this thing just screwed up? Here's the HJT log:

Thank you!

Logfile of HijackThis v1.97.7
Scan saved at 12:16:46 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.1.5:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [odjbcke] C:\WINDOWS\vqrnuo.exe
O4 - HKLM\..\Run: [ejugoawfm] C:\WINDOWS\svggy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#2 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 04 June 2004 - 01:04 PM

Nice cleanup~!

Run the scan for Hijack This again. Checkmark these 2 entries and click 'FIX'

O4 - HKLM\..\Run: [odjbcke] C:\WINDOWS\vqrnuo.exe

O4 - HKLM\..\Run: [ejugoawfm] C:\WINDOWS\svggy.exe

------->

Reboot into Safe Mode

Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.


Search for and delete these files:
vqrnuo.exe
svggy.exe


Reboot into windows

---------->

Lost internet connection:

Yes, removing spyware can lose your internet connection, your probably able to connect with the host servor but cannot surf the net. Usually it's a corrupted LSP winsock connection via spyware removal, however in your Hijack log there's no mention of it, it would appear under 0 10 "broken internet connection/dll's name", but not always.

Download this winsock repair for your XP machine,
WINSOCK XP FIX

Run program, reboot and test connection,

;)

#3 john_guerra

john_guerra

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 04 June 2004 - 01:25 PM

Thanks for your reply.

I did as you suggested, but still have the same problem :wtf:

Any other suggestions? Is is time to format and reinstall?

Thanks again.

Here's the most recent log file:

Logfile of HijackThis v1.97.7
Scan saved at 1:21:49 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.1.5:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 04 June 2004 - 01:43 PM

Had you used Hijack this to remove anything, before you posted the first log?
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 04 June 2004 - 01:47 PM

this could cause it if its not a valid setting for your network:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.1.5:8080



#6 john_guerra

john_guerra

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 04 June 2004 - 01:53 PM

I did remove some obvious items using HJT prior to posting this log, but not anything that I was unsure of. Adaware and Spybot got rid of most of the stuff that was in there early on.

The proxy server setting is correct for my network, but I have since taken that out.

Something else I just discovered. I booted into "safe mode with networking" and was able to get on the web with no problem.

Thanks

John

#7 john_guerra

john_guerra

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 04 June 2004 - 02:35 PM

more info as i'm working on this...

Since I could get on the net, i ran windows update and it said i needed an update for IE. i d/l'd it and rebooted. when it came back up, i when into safe mode again, went back to windows update and it still said i needed the same update

#8 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 04 June 2004 - 03:07 PM

This still could be running a trojan that's commandeering your browser from your 'hosts' file. I would run this through a good online scan, and follow that with TDS-3 trojan remover as a backup to what we are seeing.

Online scans:
BitDefender Virus/Trojan Scan
RavantVirus Online Scan

--->
Clear Hosts file
Use 'Search' to find your "hosts" file, use quotations,
Click on 'More advanced options'
Check 'Search system folders', then check 'Search subfolders'

Open in Notepad or Wordpad,

Clean out all references except 127.0.0.1 localhost

Obiously you can study those entries and determine if there is a malicious one, but for the sake of knowing it's clean, wipe it all out,

---->

Download and run the best trojan remover:
TDS-3 Trojan Remover

After that you can rule out the virus/trojan effect on this

Finally, purge your 'system restore' for any trojan backups by disabling, then re-enabling it, unless you have done it already,

Disable 'system restore' , Disable XP System Restore

--- and re-enable it, reboot, test your connection,

;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button