TechSpot

W2k: after running Combofix I'm undable to access Internet

By lemonflavor
Jan 15, 2008
  1. W2k: after running Combofix I'm undable to access Internet (!)

    I've been going through the 15 steps outlined on this site. After running Combofix I'm unable to access the Internet and the network. Is there a way I can unfix this?

    All my IP settings and configurations are unchanged. My other machine that I'm on now can access the internet but not my main computer.

    I'm afraid to use Winsockfix because last time I did this it brought back some malware.

    Here is the logfile. Thanks for any help.
     
  2. lemonflavor

    lemonflavor TS Rookie Topic Starter Posts: 17

    Log file is too big to post without multiple chunks. Let me know if there is a part that might be useful.

    Here is the last part:
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [08-01-15 14:12 163840]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [08-01-15 14:13 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 186640]

    C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
    Chimer.lnk - C:\Files\CHIMER\chimer.exe [2008-01-09 11:09:17]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Monitor Apache Servers.lnk - C:\Apache2\bin\ApacheMonitor.exe [2004-06-29 16:00:32]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\awvtu

    R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINNT\system32\drivers\sp_rsdrv2.sys [07-11-16 21:02 ]
    R1 wstcodecc;wstcodecc;C:\WINNT\system32\drivers\wstcodecc.sys [08-01-08 18:54 ]
    R2 dmsmbios;dmsmbios;C:\WINNT\System32\dmsmbios.sys [00-05-01 23:42 ]
    R2 YRGE;Security Service;C:\WINNT\system32\svcd\svchost.exe [08-01-10 17:57 ]
    R3 3cpciadi;3Com Windows Modem Driver PCI ADI;C:\WINNT\system32\DRIVERS\3cpciadi.sys [99-11-01 10:42 ]
    R3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;C:\WINNT\system32\DRIVERS\FA31XND5.SYS [01-06-06 15:24 ]
    S1 AEC671X;AEC671X;C:\WINNT\system32\drivers\AEC671X.SYS [98-05-05 10:06 ]
    S1 DMX3191;DMX3191;C:\WINNT\system32\drivers\DMX3191.SYS [99-02-23 00:12 ]
    S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 06:00 ]
    S1 UMAXIS11;UMAXIS11;C:\WINNT\system32\drivers\UMAXIS11.SYS [98-03-06 11:42 ]
    S2 PV8630;PV8631 WDM Device Driver;C:\WINNT\system32\pv8630.sys [00-07-05 12:13 ]
    S2 UDNT;UDNT;C:\WINNT\system32\drivers\UDNT.sys [98-09-18 07:48 ]
    S3 NC100;Network Everywhere Fast Ethernet Adapter(NC100 v2);C:\WINNT\system32\DRIVERS\NC100A.sys [99-12-24 12:41 ]
    S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINNT\system32\drivers\adm8830.sys [99-11-01 10:56 ]

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-15 14:40:08
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
    "ImagePath"="C:/Apache/mysql/bin/mysqld-nt.exe"
    .
    Completion time: 2008-01-15 14:43:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-15 20:43:44
    ComboFix2.txt 2008-01-12 20:14:51
    ComboFix3.txt 2008-01-11 20:23:30
    ComboFix4.txt 2008-01-11 16:43:08
     
  3. Didou

    Didou Bowtie extraordinair! Posts: 5,899

    Post the logs as attachments, everything is explained in the stickies so please follow them.
     
  4. lemonflavor

    lemonflavor TS Rookie Topic Starter Posts: 17

    I tried that, the attachment is too large.
     
  5. lemonflavor

    lemonflavor TS Rookie Topic Starter Posts: 17

    Hi,
    I did all the 15 steps. It solved quite a few problems but I'm still getting IE popups.

    And I'm not sure if this is related, but Windows Update won't work because IE hangs. I updated the Java Runtime. Otherwise IE can view web sites.

    Pando is fine.

    Here are the log files.

    017 is in fact my ISP:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:56:30 PM, on 1/15/2008
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Apache2\bin\Apache.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Apache2\bin\Apache.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\mgabg.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\msiexec.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: JSyn Audio - http://www.softsynth.com/jsyn/plugins/archives/jsynv142.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200359563593
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D262411A-E1D3-45BA-ADDF-F7111DEB345F}: NameServer = 68.94.156.1,68.94.157.1
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Apache2\bin\Apache.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe
    O23 - Service: Security Service (YRGE) - Unknown owner - C:\WINNT\system32\svcd\svchost.exe (file missing)

    --
    End of file - 5760 bytes
     
  6. lemonflavor

    lemonflavor TS Rookie Topic Starter Posts: 17

    01/15/2008 16:46
    Scan of all local drives
    File C:\VundoFix Backups\awvtu.dll.bad is infected by Win32:TratBHO [Trj], Deleted

    Number of searched folders: 8849
    Number of tested files: 109447
    Number of infected files: 1

    Combofix is too large to post or attach.

    I put it here:
    http://www.webdesigns1.com/temp/combofixlog080115.txt
     
  7. dptech

    dptech TS Rookie

    Any problem with Internet (e.g. after virus attack) may be resolved with this free download ( helped me many times - safe application):
    snapfiles.comget_winsockxpfix.html
    ...replace "_" with "/" and add w..w.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.