Reboot and run a new HJT log and see if it came back. This is often associated with a wareout rootkit that is very hard to see in an HJT log. IF it comes back we will have to see if we can find it.
Let's verify that you could get to Amazon.com if you had a good DNS.
In IE where you would normally type in amazon.com type in
72.21.206.5
and hit Enter.
Did you get to amazon.com OK?
If so we can do two things as a workaround.
1. You can try to use a manually entered DNS. Start, Control Panel, Network Connections. Now open the connection you usually use for internet by double clicking on it. If you have an Ethernet connection to a router or cable/dsl modem it will probably be called Local Area Connection. If a dialup it will probably have the name of your dialup company.
which I have copied below and modified to use a different US based DNS.
Click Start, open the Control Panel. If it says "Pick a category" up the top, click the "Switch to Classic view" link in the top-left of the window. Click Network Connections. Ignore anything in the Dialup or Broadband sections - the connection to your modem or router will be in LAN or high-speed Internet.
First, check for icons that are marked as "Disabled". Generally, nothing should be disabled - right-click on any item that's disabled and select Enable. Ignore any item called 1394 Connection (that's your Firewire port) and - unless you're configuring a wireless router - you can also ignore any Wireless Network Connections. There will generally only be a Local Area Connection remaining; this will be the connection to your modem/router.
Right-click on the icon and select Properties. On the General tab, click the Internet Protocol (TCP/IP) component (you'll find it in the list in the top half of the window) and click the Properties button.
On the new window that opens, in the bottom half of this window, select the Use the following DNS server addresses: option, then enter the Primus DNS resolver servers in to the boxes below:
Preferred DNS Server: 143.166.83.13
Alternate DNS Server: 143.166.224.3
Click OK, then close all other windows and exit out of any programs you have running.
Then Start, Run, cmd, OK to open a black cmd window and type:
ipconfig /flushdns
then close the cmd window.
Open Internet Explorer (or any other Internet application); you should now be able to connect.
2. Not as good but may work in a pinch. You should probably check the hosts file anyway to make sure that amazon.com is not assigned to 127.0.0.1. Run HJT, Misc Tools, Hosts File Manager, Open in Notepad. A clean hosts file will have some text at the top with a # sign in front of each line. The last line will normally be
127.0.0.1 localhost
If you see anything else below this line delete it then add on the line just below
72.21.210.11 amazon.com
So that the final hosts file looks like:
#blah blah (these are just notes and are ignored.)
127.0.0.1 localhost
72.21.210.11 amazon.com
Then close and save the file then do the ipconfig /flushdns as above.
Finally let's see if Blacklight can see the infection:
Hit "I accept." It will take you to the download page. Download blbeta.exe and save it to the Desktop. Once saved... double click blbeta.exe (you may not be able to see the .exe) to install the program. Click Accept Agreement and click Scan This app may trigger a warning from your antivirus. Let the driver load. Wait for it to finish. If it displays any items...don't do anything with them yet. Just hit exit (close) It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log in your next reply.
You can also try:
Download AVG Anti-Spyware v7.5
(This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
After download, double click on the file to launch the install process.
Choose a language, click "OK" and then click "Next".
Read the "License Agreement" and click "I Agree".
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Select the "Update" button and click "Start update". Wait until you see the "Update successful message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
Once the updates are installed do the following:
Click on the "Scanner" button and choose the "Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?" check all (default).
Under "Possibly unwanted software" check all (default).
Under "What to Scan?" make sure "Scan every file" is selected (default).
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
Close AVG Anti-spyware Do Not scan yet.
Please boot into Safe mode:
Restart the computer and immediately begin tapping the F8 key (or F5 on some Dell machines).
Use the arrow keys to highlight Safe Mode and press the Enter key.
Once in safe mode, continue with the instructions below:
Launch AVG anti-spyware by double-clicking the icon on your desktop.
Select the Scanner icon at the top, then the Scan tab then click on Complete System Scan.
AVG Anti-Spyware will now begin the scanning process, be patient this may take some time.Once the scan is complete do the following:
When prompted of an infection, please select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to your Desktop.
Now close AVG Anti-spyware. Reboot back to your normal user mode.
Thanks Ron. I scanned and fixed those four items. Still can't display Amazon.com. All else seems to work fine. I rebooted and one of those items came back. I came up with this hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:59:51 AM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Entering Amazon's IP address did the trick. And, I checked restricted sites and didn't see it in there. So, now I'm moving on to the first of method of the two you listed. Before I change the LAN DNS info, I have a question. I have two connection icons in my network connections viewer. The top one, Broadband Connection has a black check on it, wich I guess means it's the default. The bottom one, Local Area Connection doesn't have a check of course. Both are active? Both are firewalled. I use to run two computers off this router long ago, and, unsure how to do it, I set up the network this way. My question is: which of these two do I use to modify dns info. The LAN dns fields are blank. The Broadband are the 855...dns numbers.
RKinner
2 Intern
•
5.9K Posts
0
December 19th, 2006 12:00
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE43E72B-B871-4DDD-A2E9-1B5C1E452F3C}: NameServer = 85.255.114.46,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED6B5B78-6562-4382-8F5D-26125F187C55}: NameServer = 85.255.114.46 85.255.112.115
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
RKinner
2 Intern
•
5.9K Posts
0
December 19th, 2006 16:00
OK so you have an infection of some kind.
Let's verify that you could get to Amazon.com if you had a good DNS.
In IE where you would normally type in amazon.com type in
72.21.206.5
and hit Enter.
Did you get to amazon.com OK?
If so we can do two things as a workaround.
1. You can try to use a manually entered DNS. Start, Control Panel, Network Connections. Now open the connection you usually use for internet by double clicking on it. If you have an Ethernet connection to a router or cable/dsl modem it will probably be called Local Area Connection. If a dialup it will probably have the name of your dialup company.
Follow the instructions at:
http://support.iprimus.com.au/index.php?option=com_content&task=view&id=379&Itemid=120
which I have copied below and modified to use a different US based DNS.
Click Start, open the Control Panel. If it says "Pick a category" up the top, click the "Switch to Classic view" link in the top-left of the window. Click Network Connections. Ignore anything in the Dialup or Broadband sections - the connection to your modem or router will be in LAN or high-speed Internet.
First, check for icons that are marked as "Disabled". Generally, nothing should be disabled - right-click on any item that's disabled and select Enable. Ignore any item called 1394 Connection (that's your Firewire port) and - unless you're configuring a wireless router - you can also ignore any Wireless Network Connections. There will generally only be a Local Area Connection remaining; this will be the connection to your modem/router.
Right-click on the icon and select Properties. On the General tab, click the Internet Protocol (TCP/IP) component (you'll find it in the list in the top half of the window) and click the Properties button.
On the new window that opens, in the bottom half of this window, select the Use the following DNS server addresses: option, then enter the Primus DNS resolver servers in to the boxes below:
Preferred DNS Server: 143.166.83.13
Alternate DNS Server: 143.166.224.3
Click OK, then close all other windows and exit out of any programs you have running.
Then Start, Run, cmd, OK to open a black cmd window and type:
ipconfig /flushdns
then close the cmd window.
Open Internet Explorer (or any other Internet application); you should now be able to connect.
2. Not as good but may work in a pinch. You should probably check the hosts file anyway to make sure that amazon.com is not assigned to 127.0.0.1. Run HJT, Misc Tools, Hosts File Manager, Open in Notepad. A clean hosts file will have some text at the top with a # sign in front of each line. The last line will normally be
127.0.0.1 localhost
If you see anything else below this line delete it then add on the line just below
72.21.210.11 amazon.com
So that the final hosts file looks like:
#blah blah (these are just notes and are ignored.)
127.0.0.1 localhost
72.21.210.11 amazon.com
Then close and save the file then do the ipconfig /flushdns as above.
Finally let's see if Blacklight can see the infection:
(This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
Choose a language, click "OK" and then click "Next".
Read the "License Agreement" and click "I Agree".
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Select the "Update" button and click "Start update". Wait until you see the "Update successful message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
Click on the "Scanner" button and choose the "Settings" tab.
Under "How to Scan?" check all (default).
Under "Possibly unwanted software" check all (default).
Under "What to Scan?" make sure "Scan every file" is selected (default).
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
Close AVG Anti-spyware Do Not scan yet.
Please boot into Safe mode:
Restart the computer and immediately begin tapping the F8 key (or F5 on some Dell machines).
Use the arrow keys to highlight Safe Mode and press the Enter key.
Once in safe mode, continue with the instructions below:
Launch AVG anti-spyware by double-clicking the icon on your desktop.
Select the Scanner icon at the top, then the Scan tab then click on Complete System Scan.
AVG Anti-Spyware will now begin the scanning process, be patient this may take some time.Once the scan is complete do the following:
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to your Desktop.
Now close AVG Anti-spyware. Reboot back to your normal user mode.
bri-dawg
3 Posts
0
December 19th, 2006 16:00
Scan saved at 10:59:51 AM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\Rar$EX08.344\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED6B5B78-6562-4382-8F5D-26125F187C55}: NameServer = 85.255.114.46 85.255.112.115
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
bri-dawg
3 Posts
0
December 19th, 2006 17:00
RKinner
2 Intern
•
5.9K Posts
0
December 19th, 2006 17:00
to your desktop then rightclick on it and Install.
RKinner
2 Intern
•
5.9K Posts
0
December 19th, 2006 17:00