Lost internet (via IE) / localhost access / ftp ability

[john97]

I recently lost complete access to the internet, localhost via my browsers and the ability to connect out via ftp. I've been able to "fix" the internet access with firefox, but not IE. I can ping 127.0.0.1, but not local host. In firefox and IE, when I attempt to access localhost page (I'm using IIS) I receive:
HTTP Error 503. The service is unavailable.
When I attempt to use ftp, I receive:
Status: Connection attempt failed with "EAI_FAIL - Nonrecoverable failure in name resolution".
Error: Could not connect to server
I've used netsh, but seems to no avail as I can not even locate the log file any place on my pc.
I've updated IE (7 to 8), my ftp client, but still no fix.
I'm not very familiar with this, your help would really be appreciated.

 

[kimsland]

Run IE Reset Fixit Tool:

Or manually from here https://www.techspot.com/vb/post682762-2.html
Then restart Internet Explorer

Also download and run CCleaner (and tick the square for DNS cache as well) http://www.ccleaner.com/download/downloading

 

[john97]

Hi Kimsland,
I've followed your steps, and although the CCleaner did a fabulous job in clearing nearly a Gb of useless files, the process had no apparent effect on my problem, other than now I receive the message with IE8 ... "Internet Explorer cannot display the webpage" and when I use the "diagnose connection problems" button I receive "cannot connect to the web server 'localhost'. The host may be down. Windows found a problem that cannot be repaired automatically. Similiar situation with any other web page with IE.
I can not ftp. I can still ping 127.0.0.1 but have no response when I ping localhost. Localhost still is not reachable via neither IE nor Firefox. I am able to browse the internet successfully though with Firefox.
I realize that I keep asking, but any further advice would most certainly be appreciated.

 

[kimsland]

Hi john97

Generally we ask all members to go through this guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions
As there is really no use trying to repair something when Virus or Malware (that can easily be removed) is present (or not)

Although I state you really must follow the guide, try this anyhow

If you have AVG installed, uninstall it, then run the AVG Remover Tool
Then Restart
An Antivirus that I recommend is Free Avira Antivirus (but test Internet first)

Also, try updating your Hosts file: http://mvps.org/winhelp2002/hosts2.htm
Download; Unzip, run: mvps.bat > then Restart

One of those may fix the issue too (with any luck

 

[john97]

Hi Kimsland,
I've followed your steps, now I'm starting the 8 step process. Regarding step 1 - I've installed Avira - do you recommend I also install one of the firewalls? I'm currently running the windows firewall in vista.

 

[kimsland]

No I don't

Removal of Malware does not require installing a 3rd party firewall

 

[john97]

I'm working through the 8 steps. At this point I've installed the superantispyware and am attempting to update. I'm receiving this message even though the windows firewall is off :

"There was an error trying to retreive definitions. Make sure your firewall is not blocking superantispyware.exe from accessing the internet."

Do you want me to scan without updating, or do you have another way to update?

 

[kimsland]

SUPERAntiSpyware, Manual Update file: http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE

Malwarebytes, Manual Update file: http://mbam.malwarebytes.org/database/mbam-rules.exe

Once updating and scanning, you might be able to update online after that, as manual updates are not as up to date, as automatic ones

 

[john97]

I've completed the 8 steps. I've attached two malwarebyres files (one before the manual update - the other after). The auto updates still will not function.

 

[john97]

Hi Kimsland,
Just to update ... the original problems persist.

 

[kimsland]

Combofix:

• Download Combofix to your desktop.
• Disable your Antivirus (as Combofix will remove any found malwares)
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here

Also restart and provide a fresh HJT Scan log

 

[john97]

log files

I've attached the combofix log file. I can't seem to attached the hjt log and it's too long for this message, so I've included the 1st part here with the 2nd part to follow immediately.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:54 PM, on 04/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PDFCreator\PDFCreator.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3080104
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll C:\Windows\System32\avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[john97]

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10149 bytes

 

[kimsland]

Thanks for that part log

Do remember to attach

logs though

Oh and if Ad-Aware is the free version you can uninstall that too
Along with SUPERAntispyware

 

[john97]

I sent apost reply with the combofix log attached. ai attempted to attach the hjt log, but kept receiving a message that I had already submitted the file to this thread, even when I renamed the file. I copied and paste the log in the message, but had to do that in two parts as the log file was too large. I sumitted the post with the combofix file attached just seconds before I sent the post with the 2nd part of the hjt log - I don't see that post on my list though. Can you tell me how to attach the hjt file, and I send it immediately.
Please excuse me for the confusion.

 

[john97]

Ad-Aware & SAS removed

 

[kimsland]

Oh I had that issue once

Just rename the logs to something totally different like "here-it-is.log" or even Zip it up

 

[john97]

The logs files

I've zipped the hjt and the combofix log files.

 

[kimsland]

You stated that Ad-aware and SUPERAntispyware are removed, but they are still in your logs
You possibly did not restart before creating the HJT log

Also you seem to have run Combofix a few times in the past
The problem is Combofix keeps updating all the time, so can we just make absolutely positive that you are using the right version:

Un-install Combofix

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK
• Any popup errors about Antivirus just ok or close

Note: 1 space after ComboFix in that uninstall command

Download Combofix

• Download Combofix to your desktop.
• Disable your Antivirus (as Combofix will remove any found malwares)
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here

Also restart and provide a fresh HJT Scan log

----------------------

Also these folders in Bold can be removed:
C:\found.000
c:\program files\AVG
c:\program files\Ad-Aware
c:\program files\Spyware Doctor (I think this one is uninstalled, anyway I don't like Spyware Doctor that much)

 

[john97]

I'm feeling real stupid here, but when I select start I don't seem to have a run option. Is there another choice?

 

[kimsland]

Sorry, I generally refer to "Start > Run" as meaning

> Search

I'm still back in the XP days

 

[john97]

The files

I've attached new combofix and the hjt logs

 

[kimsland]

We are so close now

One more scan, and then uninstall all these tools (not Malwarebytes though )
And clean up, and we're done.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan. (else the paste will be thousands of pages long )

 

[john97]

I've attempted to run the gmer multiple times. The most it reaches is just past the iat and begins devices. Then I get the blue screen ... that mentions pxldypog.sys, and my pc reboots.

 

[john97]

If I run in safe mode, I can see where it stops .... /device/harddiskvolume1 ... and an alert appears that windows has encountered an error an is closing the program (at least not the blue screen - lol)