TechSpot

This Virus is driving me crazy - WinSock error

By brenlar
Oct 28, 2009
  1. Hello Techspot Community,

    I recently ran a Norton internet security scan and found a virus. According to my Norton Scan the Virus was quarantined and removed. (Severity HIGH - risks in compressed file "divx v6.0pro.rar" detected virus by scanner)

    The problem is that I am no longer able to get on the internet. When I open up Explore I get a "Internet Explorer cannot display the webpage"

    I tried to Diagnose the connection and i get the following errors in the log:
    Winsock status
    info - error attempting to validate winsock base providers 2
    error- not all base service provider entries could be found in the winsock catalog. a reset is needed.

    info- HTTP, HTTPS, FTP connectivity
    info- FTP passive -successfully connected to ftp.microsoft.com
    warn- HTTP: successfully connected to www.microsoft.com
    warn-HTTPS: ERROR 12002 connecting to www.microsoft.com. The operation timed out.
    warn-HTTPS: ERROR 12002 connecting to www.passport.net. The operation timed out.
    error- could not make an HTTPS connection.

    I followed the "8-step Viruses/Spyware/Malware Preliminary Removal" and attached the logs.

    Can someone please help me? I am lost.
    Thanks in advance
    Brenlar
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, brenlar. I'll try to help you sort out the cause for the problem.

    First, when you ran Malwarebytes, you did not check the line to remove the malware found. So the entries show: No action taken.

    SAS found many Tracking Cookies- a sign that you might not be doing regular maintenance on the system. To get then under control:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    About the connection problem: these two entries are in the HJT log:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
    OrgName: Best Buy Co., Inc.
    OrgID: BBC-19
    Address: 7601 Penn Avenue South
    Address: NONE
    City: Richfield
    StateProv: MN

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;192.168.1.1;<local>;*.local

    The second entry is telling the system to over ride the proxy, to use the machine IP127.0.0.1 and connect through the router: (IP 192.168.1.1) then you show both <local> and a wild card *.local

    See if this will work for you:
    Click on Start> Run> type in cmd> enter> copy this and paste it in on the cmd screen:

    netsh winsock reset

    and press enter again to rebuild the LSP chain

    The Proxy Override should look like this:

    R1 -
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = <local>


    The <local> stops internal addresses from going through the proxy.

    To change this: Open IE> Tools> Internet Options> Connections> LAN settings> uncheck "Bypass Proxy Server For Local Addresses"> Apply> OK

    Let me know if this reestablished the connection. If it does, you will need to update Malwarebytes and scan again with the section for removal checked.

    I might not have explained the proxy settings in the best technical terms, but I hope you understood it.
     
  3. brenlar

    brenlar TS Rookie Topic Starter

    Thanks Bobbye! I appreciate you taking the time to help me out. I am a novice user so I hope I did everything correctly.

    I was able to reestablish the connection. :)

    I followed all the steps above.
    -removed malware
    -reset cookies
    -changed internet options to block third party cookies...
    -reset Winsock

    I am not sure if the LSP chain was rebuilt correctly because the "Proxy override" still looks the same in the HJT log.

    Also, I was not able to uncheck ""Bypass Proxy Server For Local Addresses" since that box was greyed out and unchecked anyway.

    I updated Malwarebytes and found one more Virus which I removed.
    I did run another scan with Norton and did not find a virus.

    I think I should be good to go since I am now able to get online.
    Thanks again for all your help and please let me know if you think I should do anything else.
    Brent
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is a matter of concern. I would like to see that log and have you run two additional programs.

    IF you do not want to do that, remove the cleaning tools:
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    If you decide to finish the cleaning, please let me know.
     
  5. brenlar

    brenlar TS Rookie Topic Starter

    Hi Bobbye,

    My internet connection is now hit or miss. I cannot consistently get on the internet.

    I have attached the logs you requested. I have two malwarebytes logs. One was for my PCs hard drive (C:) and the second is for my USB removable storage device (F:).

    Should I will hold off on running OTcleanit in case I need to run another scan?

    Thanks in advance.
    Brent
     
  6. brenlar

    brenlar TS Rookie Topic Starter

    Whoops. Sorry for the smiley faces behind the hard drive name. I entered a colon and then parenthesis.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, don't remove the cleaning tools if you want to pursue this:

    System shows that you have a pirated program: WinDVD Platinum 7.0 (Release 2) Build 27.071 +keygen

    You will need to uninstall the pirated program if you want continued support. Flash drive shows a Rogue Installer.

    If you do the uninstall, follow with this:
    Please reopen HijackThis to 'do system scan only'. Check the following processes if present:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


    I also recommend checking the following for removal: UNLESS you set this proxy up with BestBuy. Leave it alone if you did

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080

    You are also using a pop-up blocker which is considered Adware:
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll

    I recommend that you check this for removal for the following reasons:
    • Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
    • Some types of adware are also spyware and can be classified as privacy-invasive software.[/b]

      Close all Windows except HijackThis. Click on "Fix Checked."


      Download SDFix HERE and save it to your Desktop.
      • Double click SDFix.exe and it will extract the files to %systemdrive%
        (Drive that contains the Windows Directory, typically C:\SDFix)

        Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

        Run SDFix
      • Open the extracted SDFix folder and double click RunThis.bat to start the script.
      • Type Y to begin the cleanup process.
      • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
      • Press any Key and it will restart the PC.
      • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
      • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      • Attach Report.txt back here

      Rescan with HJT after SDFix: attach SDFix report, PASTE HJT log.
     
  8. brenlar

    brenlar TS Rookie Topic Starter

    Hi Bobbye,

    I have followed all of your instructions and attached the SDfix and HJT logs.

    I was not able to reestablish an internet connection.

    Please let me know what you think my next step should be.

    Thanks in advance.
    Brent
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you still can ge the connection, try resetting the router:

    DNS Changer
    You will need to reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

    The current logs are clean. IF the router reset works, go ahead and run the removal tools. If the Mbam scan shows anything, attach the log in next reply.
     
  10. brenlar

    brenlar TS Rookie Topic Starter

    Thanks Bobbye. I will give that a shot.

    Thanks again.
    Brent
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    FYI, DivX is video codec download. Prov6 s the version. This program is frequently pirated from torrent sites.
    It may be this- WinDVD Platinum 7.0 (Release 2) Build 27.071 +keygen- or another pirated program.

    You will need to remove those programs.
     
  12. brenlar

    brenlar TS Rookie Topic Starter

    Hi Bobbye,

    I followed the instructions above. I removed the WinDVD Platinum Program and reset my wireless router. I am not able to establish a wireless internet connection but I was able to establish an internet connection with an Ethernet cabel. My PC is connecting to the Wireless Router and the signal is strong. Once I pull up a web browser and try to access the internet I get a ""Internet Explorer cannot display the webpage"


    I have attached the Mbam log. I did find one infected file in my E: drive. The E: drive is my DVD Rom and I had my Netgear Router Install disk in the E: drive at the time of the Scan. I do not beleive this is a problem.

    If you have any other ideas on how I can fix my wireless connection please let me know.

    By the way I have two other wireless devices that can connect to the internet through my wireless Netgear router.

    Thanks in advance.
    Brent
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So two of the three computers can connect throught the Netgear wiireless router, but the third system cannot- it can only connect using the Ethernet. Got to be a driver problem:

    Check in the Device Manager for errors:
    Click on Start> Run>type in devmgmt.msc> enter> click on + sign to expand Network Adapter and look for a yellow triangle with black ! point. The do a right click> Properties on each device> if any show error, try updating the driver.

    Then please be sure there is NOT disc in the E drive. Update and run Malwarebytes again. Attach new log.

    Follow with online scan:
    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...