Can't access Internet through network [Archive]

matero

May 29th 04, 07:57 PM

I have been fighting this problem for more than a week!
I had trojan downloader.keenval.j. Browser kept trying
to default to incredifind, but could not access the
internet. It appears that I have been able to clean up
the trojan, but I still can't access the internet from
the previously infected computer. The other computers on
the network have no trouble. The infected computer can
access other computers on the network and other computers
can access it. Hijack This log follows:

Logfile of HijackThis v1.97.7
Scan saved at 12:44:02 PM, on 5/29/2004
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
D:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\CYB2K.EXE
D:\PROGRAM FILES\IE NEW WINDOW MAXIMIZER\IEMAXIMIZER.EXE
D:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
D:\PROGRAM FILES\ROCKET SOFTWARE\ROCKETTIME\ROCKETTIME.EXE
D:\PROGRAM FILES\D-LINK\D-LINK AIR UTILITY\UTILITY.EXE
D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS
SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
D:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.alltel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.microsoft.com/isapi/redir.dll?prd=
{SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.google.com/keyword/%s
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 192.168.0.103:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE
TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth]
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
O4 - HKLM\..\Run: [IE New Window Maximizer] D:\Program
Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\GRISOFT\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1
\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] D:\PROGRA~1
\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector]
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Rocket.Time.lnk = D:\Program Files\Rocket
Software\RocketTime\RocketTime.exe
O4 - Startup: D-Link Air Utility.lnk = E:\Program Files\D-
Link\D-Link Air Utility\Utility.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk =
D:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present
O8 - Extra context menu item: &Google Search -
res://D:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://D:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://D:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links -
res://D:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page -
res://D:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1
\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1
\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.C
AB?37880.4788194444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/swdir.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}
(ICSScannerLight Class) -
http://download.zonelabs.com/bin/free/cm/ICSCM.cab

It was suggested to someone with a similar problem that
port 80 could be blocked. How do I check this? How do I
unblock it?

I have no good restore points. I must fix this problem.
Please help!

Noel Paton

May 30th 04, 10:26 AM

You may have a virus/spyware hijack

download the Stinger from here and run it to make sure that A-V-disabling
viruses are not present on your PC
http://download.nai.com/products/mcafee-avert/stinger.exe

- update your virus scanner and run a full system scan of all files.

Reboot to Safe Mode and run CWShredder - to remove variants of the
CoolWebSearch hijacker.
http://www.merijn.org/cwschronicles.html

Use CWShredder, the removal tool:
http://www.merijn.org/files/cwshredder.zip
http://www.merijn.org/files/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
http://www.zerosrealm.com/downloads/CWShredder.zip

download AdAware from www.lavasoftusa.com, install, update, and run it to
remove spyware, adware,
and other such nasties from your system.

Then see how your system responds- re-run HiJackThis and post back with the
new log

--
Noel Paton (MS-MVP 2002-2004, Win9x)

Nil Carborundum Illegitemi
http://www.btinternet.com/~winnoel/millsrpch.htm

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
or
http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp
"matero" > wrote in message
...
> I have been fighting this problem for more than a week!
> I had trojan downloader.keenval.j. Browser kept trying
> to default to incredifind, but could not access the
> internet. It appears that I have been able to clean up
> the trojan, but I still can't access the internet from
> the previously infected computer. The other computers on
> the network have no trouble. The infected computer can
> access other computers on the network and other computers
> can access it. Hijack This log follows:
>
> Logfile of HijackThis v1.97.7
> Scan saved at 12:44:02 PM, on 5/29/2004
> Platform: Windows ME (Win9x 4.90.3000A)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\SYSTEM\KERNEL32.DLL
> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
> C:\WINDOWS\SYSTEM\SPOOL32.EXE
> C:\WINDOWS\SYSTEM\MPREXE.EXE
> C:\WINDOWS\SYSTEM\MSTASK.EXE
> D:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
> C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
> C:\WINDOWS\SYSTEM\mmtask.tsk
> C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
> C:\WINDOWS\EXPLORER.EXE
> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
> C:\WINDOWS\SYSTEM\WMIEXE.EXE
> C:\WINDOWS\TASKMON.EXE
> D:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
> C:\WINDOWS\CYB2K.EXE
> D:\PROGRAM FILES\IE NEW WINDOW MAXIMIZER\IEMAXIMIZER.EXE
> D:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
> D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
> D:\PROGRAM FILES\ROCKET SOFTWARE\ROCKETTIME\ROCKETTIME.EXE
> D:\PROGRAM FILES\D-LINK\D-LINK AIR UTILITY\UTILITY.EXE
> D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS
> SHARED\WKCALREM.EXE
> C:\WINDOWS\SYSTEM\STIMON.EXE
> D:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
>
> R1 - HKCU\Software\Microsoft\Internet
> Explorer\Main,Search Page =
> http://www.microsoft.com/isapi/redir.dll?
> prd=ie&ar=iesearch
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
> Page = http://www.alltel.net/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
> Page = http://www.microsoft.com/isapi/redir.dll?prd=
> {SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
> R1 - HKLM\Software\Microsoft\Internet
> Explorer\Main,Search Page =
> http://www.microsoft.com/isapi/redir.dll?
> prd=ie&ar=iesearch
> R1 - HKLM\Software\Microsoft\Internet
> Explorer\Main,Default_Page_URL = http://www.msn.com
> R1 - HKLM\Software\Microsoft\Internet
> Explorer\Main,Default_Search_URL =
> http://www.microsoft.com/isapi/redir.dll?
> prd=ie&ar=iesearch
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
> (Default) = http://www.google.com/keyword/%s
> R1 -
> HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
> Settings,ProxyServer = 192.168.0.103:3128
> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
> 784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0
> \READER\ACTIVEX\ACROIEHELPER.OCX
> O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
> CF10577473F7} - d:\program files\google\googletoolbar1.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
> 00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
> 009027A5CD4F} - d:\program files\google\googletoolbar1.dll
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE
> TWEAKUI.CPL,TweakMeUp
> O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
> O4 - HKLM\..\Run: [ScanRegistry]
> C:\WINDOWS\scanregw.exe /autorun
> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
> O4 - HKLM\..\Run: [PCHealth]
> C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
> O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
> O4 - HKLM\..\Run: [IE New Window Maximizer] D:\Program
> Files\IE New Window Maximizer\iemaximizer.exe
> O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\GRISOFT\AVG6
> \avgcc32.exe /STARTUP
> O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1
> \ZONEAL~1\zlclient.exe
> O4 - HKLM\..\RunServices: [*StateMgr]
> C:\WINDOWS\System\Restore\StateMgr.exe
> O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
> O4 - HKLM\..\RunServices: [Avgserv9.exe] D:\PROGRA~1
> \GRISOFT\AVG6\Avgserv9.exe
> O4 - HKLM\..\RunServices: [TrueVector]
> C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
> O4 - Startup: Rocket.Time.lnk = D:\Program Files\Rocket
> Software\RocketTime\RocketTime.exe
> O4 - Startup: D-Link Air Utility.lnk = E:\Program Files\D-
> Link\D-Link Air Utility\Utility.exe
> O4 - Startup: Microsoft Works Calendar Reminders.lnk =
> D:\Program Files\Common Files\Microsoft Shared\Works
> Shared\wkcalrem.exe
> O6 - HKCU\Software\Policies\Microsoft\Internet
> Explorer\Restrictions present
> O8 - Extra context menu item: &Google Search -
> res://D:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
> O8 - Extra context menu item: Cac&hed Snapshot of Page -
> res://D:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
> O8 - Extra context menu item: Si&milar Pages -
> res://D:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
> O8 - Extra context menu item: Backward &Links -
> res://D:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
> O8 - Extra context menu item: Translate Page -
> res://D:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
> O9 - Extra button: Related (HKLM)
> O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1
> \Plugins\NPDocBox.dll
> O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1
> \Plugins\NPBelv32.dll
> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
> Class) -
> http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.C
> AB?37880.4788194444
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
> (Shockwave Flash Object) -
> http://download.macromedia.com/pub/shockwave/cabs/flash/sw
> flash.cab
> O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
> (Shockwave ActiveX Control) -
> http://download.macromedia.com/pub/shockwave/cabs/director
> /swdir.cab
> O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}
> (ICSScannerLight Class) -
> http://download.zonelabs.com/bin/free/cm/ICSCM.cab
>
> It was suggested to someone with a similar problem that
> port 80 could be blocked. How do I check this? How do I
> unblock it?
>
> I have no good restore points. I must fix this problem.
> Please help!