TechSpot

Internet connection hijacked

By eigilsa
Oct 19, 2005
  1. I was hit by some nasty malware. I used F-secure Internet Security to get rid of most of it. After I discovered that I had no internet connectivity. I have figured out a way to restore it; reinstall the network driver (use NetWear WLAN card), BUT when I log out and in again (or reboot) the connection is lost. The WLan connection looks good, but I cannot even ping my gateway.

    I saw a tips to run LSPfix, it did give me something that needed to be fixed, but the problem was still not resolved. The LSPfix currently shows:
    mswsock.dll
    winrnr.dll
    rsvpsp.dll
    on the keep side, nothing on the remove side.

    I have also used HJT to remove some stuff based on other posts on this site, but no success.

    Maybe I have removed too much?

    Anyway, help would be appriciated. The HJT log is here: http://folk.uio.no/eigilsa/hijackthis.txt (attachment didn't work)

    Thanks,

    Eigil
     
  2. zephead

    zephead TechSpot Paladin Posts: 1,569

    lemme paste in here my all-time hail-mary plan. it cleans up machines pretty well and isn't too time consuming.

    download, install, and update AVG free edition. (free.grisoft.com) do not run a scan.

    download, install ad-aware SE personal (http://www.lavasoftusa.com/software/adaware/). update definitions file dut do not run a scan.

    download, install ccleaner (http://www.majorgeeks.com/download4191.html), choose not to install the context options during setup)

    download, install ewido security suite (http://www.ewido.net/en/) uncheck "Install background guard" and "Install scan via context menu" during installation.

    reboot your computer into safe mode by pressing F8 repeatdley during the boot process until you get a menu. use your arrow keys to select safe mode and hit enter. log into windows as "administrator", not your normal user account.

    run a full system scan in AVG antivirus.

    reboot your computer into safe mode by pressing F8 repeatdley during the boot process until you get a menu. use your arrow keys to select safe mode and hit enter. log into windows as "administrator", not your normal user account.

    run a full system scan in ad-aware. when prompted with the results, check everything except the "MRU objects" and click "delete" in the bottom right corner.

    reboot your computer into safe mode by pressing F8 repeatdley during the boot process until you get a menu. use your arrow keys to select safe mode and hit enter. log into windows as "administrator", not your normal user account.

    open ewido and run a complete system scan. when it finds its first problem, If Ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

    open ccleaner, and run the operation "run cleaner" in corner

    reboot your computer, letting it boot normally and log into your user account. download mozilla firefox (www.mozilla.org) and make it your default browser. when you sue the internet, use firefox instead of IE to do so.

    these operations take out more than 90% of your problems. run hijackthis, save a logfile, and post it here.
     
  3. eigilsa

    eigilsa TS Rookie Topic Starter

    Tried all of the above still the same symptoms.

    new HJT at same location as original post.

    Eigil
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /S/ Service needs to be stopped
    /R/ unRegister the xxx.DLL in that line
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    /P/ E:\Utility\Setup.exe <<== YOU DECIDE IF NEEDED
    G:\Documents and Settings\Eigil\Local Settings\Temp\{936D42B8-FE51-41D5-A74A-6182F6CDB17B}\wlancfg5.exe
    When you delete the contents of \Temp\, this double entry will disappear.
    /R/ O4 - HKLM\..\Run: [AdService] G:\WINDOWS\System32\AdService.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23e59287b5d5c5da8403/netzip/RdxIE601.cab
    /P/S/ O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    /P/S/ O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    You run F-Secure, no need for these avg7
    ...................................................................................................
     
  5. eigilsa

    eigilsa TS Rookie Topic Starter

    Thanks for your advice - I've done it all, but No luck.
    HJT log is updated (link in first post).
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Your latest log is clean.
    What malware were you hit by before? Perhaps you did not clean it up properly.
    Have you tried Ewido? Read: How to remove Trojans and its ilk!

    What is your network connection like?
    PC-WLAN-card-Router-Modem-web?
    Or PC-WLAN-card-Modem-web?
    Dial-up or Broadband?
    Try DrTCP if broadband: http://www.dslreports.com/drtcp
    Click Start/Run and type cmd /k ipconfig /all and click OK to see your IP-setup.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...