laptop won't connect to internet

TheRanger53 · May 18, 2012

It is a dell laptop running xp pro with service pack 3 and boots up fine but will not connect to the internet. I installed malwarebytes on it in safe mode from a flash drive and tried to run a scan. Everything looked normal until malwarebytes just shut down and when I tried to restart it I got an error message that stated that windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the file. When the computer was first brought to me by a friend the system clock had been changed to 2002. I reset that in order to get the computer to boot right.

LDTate · May 18, 2012

You'll need to download this to your Flash Drive and transfer it to the laptop.

Windows Repair (all in one)

Download Windows Repair (all in one) from this site

Install and then run the program.

On the Start Repairs tab, select Advanced Mode and click Start

Select the items Checked in the screen shot below (remove the checks from the rest ) and check Restart System When Finished.

----------

Once complete let me know if that fixed the issues.

LDTate · May 21, 2012

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

LDTate · May 22, 2012

 Sorry for the lack of response since I first posted. I've been doing a lot of hours at the prison that I work at. I downloaded the program you gave me the link to and installed and ran it. This version did not give me the option to select the advanced tab though. It did not resolve the problem of connecting to the internet. IE does not load up but Firefox will although it cannot connect to the homepage. I have tried wired and wireless connections. I did run a virus scan using openoffice portable off of the flashdrive but found nothing. Thanks again for the time.

Try this:

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /flushdns

IPCONFIG /renew

IPCONFIG /registerdns

netsh winsock reset

netsh int ip reset

regsvr32 netshell.dll

regsvr32 netcfgx.dll

regsvr32 netman.dll

Exit

TheRanger53 · May 22, 2012

Ok I tried that but IE still has issues even starting and when it does neither IE or Firfox will connect. I also cannont get the antivirus that is installed to run a scan. It is AVG free edition and has not been updated since 1/7/12.

LDTate · May 22, 2012

Copy Combofix to your flash drive and transfer it over to the non-working pc.

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have SP3, use the SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

TheRanger53 · May 22, 2012

ComboFix 12-05-22.02 - D600 05/21/2012 23:53:11.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.202 [GMT -4:00]

Running from: c:\documents and settings\D600\Desktop\ComboFix.exe

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.avi

c:\documents and settings\All Users\Application Data\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.ico

c:\documents and settings\All Users\Application Data\d04cc2a

c:\documents and settings\All Users\Application Data\d04cc2a\638.mof

c:\documents and settings\All Users\Application Data\d04cc2a\WED.ico

c:\documents and settings\All Users\Application Data\d04cc2a\WEDDSys\vd952342.bd

c:\documents and settings\All Users\Start Menu\Programs\Security Defender

c:\documents and settings\All Users\Start Menu\Programs\Security Defender\Security Defender.lnk

c:\documents and settings\D600\Application Data\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.avi

c:\documents and settings\D600\Application Data\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.ico

c:\documents and settings\D600\Local Settings\Application Data\{D6609136-00B2-434C-AF00-EFA8B1095666}

c:\documents and settings\D600\Local Settings\Application Data\{D6609136-00B2-434C-AF00-EFA8B1095666}\chrome.manifest

c:\documents and settings\D600\Local Settings\Application Data\{D6609136-00B2-434C-AF00-EFA8B1095666}\chrome\content\_cfg.js

c:\documents and settings\D600\Local Settings\Application Data\{D6609136-00B2-434C-AF00-EFA8B1095666}\chrome\content\overlay.xul

c:\documents and settings\D600\Local Settings\Application Data\{D6609136-00B2-434C-AF00-EFA8B1095666}\install.rdf

c:\documents and settings\D600\Local Settings\Application Data\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.avi

c:\documents and settings\D600\Start Menu\Programs\AnVi

c:\documents and settings\D600\Start Menu\Programs\AnVi\About.lnk

c:\documents and settings\D600\Start Menu\Programs\AnVi\Activate.lnk

c:\documents and settings\D600\Start Menu\Programs\AnVi\Antivirus Support.lnk

c:\documents and settings\D600\Start Menu\Programs\AnVi\Antivirus.lnk

c:\documents and settings\D600\Start Menu\Programs\AnVi\Buy.lnk

c:\documents and settings\D600\Start Menu\Programs\AnVi\Scan.lnk

c:\documents and settings\D600\Start Menu\Programs\AnVi\Settings.lnk

c:\documents and settings\D600\Start Menu\Programs\AnVi\Update.lnk

c:\documents and settings\D600\Start Menu\Programs\Security Defender

c:\program files\AnVi

c:\program files\Security Defender

c:\program files\Security Defender\Security Defender.dll

c:\program files\Security Defender\Security Defender.ico

c:\windows\PRAGMAwtxyexuwob

c:\windows\PRAGMAwtxyexuwob\PRAGMAcfg.ini

c:\windows\PRAGMAwtxyexuwob\PRAGMAsrcr.dat

c:\windows\system32\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.avi

c:\windows\system32\c_03184.nl_

c:\windows\system32\drivers\vbmac37a.sys

c:\windows\system32\SET40B.tmp

c:\windows\system32\SET40C.tmp

.

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\wuauclt.exe

.

Infected copy of c:\windows\system32\DRIVERS\usbhub.sys was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\usbhub.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PRAGMAWTXYEXUWOB

-------\Service_PRAGMAwtxyexuwob

-------\Service_vbmac37a

.

((((((((((((((((((((((((( Files Created from 2012-04-22 to 2012-05-22 )))))))))))))))))))))))))))))))

.

2012-05-21 14:12 . 2012-05-21 14:12 -------- d-----w- C:\Reg_Backup

2012-05-21 14:12 . 2012-05-21 14:17 181064 ----a-w- c:\windows\PSEXESVC.EXE

2012-05-21 14:12 . 2012-05-21 14:14 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs

2012-05-21 14:11 . 2012-05-21 14:11 -------- d-----w- c:\program files\Tweaking.com

2012-05-17 11:43 . 2012-05-17 11:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2012-05-17 08:59 . 2012-05-17 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-17 08:59 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-15 12:34 . 2012-05-17 08:59 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-05-15 12:34 . 2012-05-15 12:34 -------- d-----w- c:\documents and settings\D600\Application Data\Malwarebytes

2012-05-15 12:34 . 2012-05-15 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys

[-] 2008-04-13 19:19 . D41D8CD98F00B204E9800998ECF8427E . 0 . . [------] . . c:\windows\system32\drivers\ipsec.sys

[7] 2004-08-12 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys

.

[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys

[-] 2008-04-13 19:19 . D41D8CD98F00B204E9800998ECF8427E . 0 . . [------] . . c:\windows\system32\drivers\ipsec.sys

[7] 2004-08-12 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk

backup=c:\windows\pss\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^D600^Desktop^Startup^6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk]

path=c:\documents and settings\D600\Desktop\Startup\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk

backup=c:\windows\pss\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

2002-12-17 16:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akuxejoxodokakej]

2008-04-14 00:12 72704 ----a-w- c:\windows\WMVDBAD.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]

2011-12-03 06:22 2415456 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

2006-11-01 16:48 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R280 Series]

2007-04-13 10:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKA.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hrikixuqot]

2008-04-14 00:12 199680 ----a-w- c:\windows\udovefifizo.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]

2009-07-17 15:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]

2009-12-09 01:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-09-04 23:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xnorqlu]

2012-01-11 14:37 33280 ----a-w- c:\documents and settings\D600\Local Settings\Application Data\App\xnorqlu.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SeaPort"=2 (0x2)

"ose"=3 (0x3)

"NIS"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"gusvc"=3 (0x3)

"AVP"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"wlidsvc"=2 (0x2)

"avgwd"=2 (0x2)

"AVGIDSAgent"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 2:14 AM 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/11/2011 2:13 AM 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 2:13 AM 230608]

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [9/25/2007 6:13 PM 92550]

S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 295248]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 2:14 AM 134608]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 2:14 AM 24272]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 2:14 AM 16720]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/15/2012 8:34 AM 40776]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/12/2004 9:30 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 7:25 AM 4433248]

S4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 7:09 AM 192776]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

------- Supplementary Scan -------

.

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\D600\Application Data\Mozilla\Firefox\Profiles\9ej5tf8a.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)

HKCU-Run-6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186 - c:\documents and settings\D600\Application Data\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.avi

MSConfigStartUp-6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186 - c:\windows\system32\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.avi

MSConfigStartUp-dfrgsnapnt - c:\docume~1\D600\LOCALS~1\Temp\dfrgsnapnt.exe

MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

MSConfigStartUp-Gamevance - c:\program files\Gamevance\gamevance32.exe

MSConfigStartUp-SearchSettings - c:\program files\Dealio Toolbar\SearchSettings.exe

AddRemove-The Weather Channel Desktop 6 - c:\program files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-22 01:17

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(652)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3228)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG2012\avgrsx.exe

c:\program files\AVG\AVG2012\avgcsrvx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2012-05-22 01:22:25 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-22 05:22

.

Pre-Run: 26,311,151,616 bytes free

Post-Run: 26,238,337,024 bytes free

.

- - End Of File - - 03EB9916AE786ADC506D1280EC762309

The computer is still acting as it has been but when It rebooted after the scan there was an error message that stated this" Error loading C:\ Documents and Settings\ D600\ Application Data\ 6DFE5BE-77D0-5C3B-535B-1F2726BBB186.AVI

The specified module could not be found.

LDTate · May 22, 2012

[-] 2008-04-13 19:19 . D41D8CD98F00B204E9800998ECF8427E . 0 . . [------] . . c:\windows\system32\drivers\ipsec.sys

I think that's at least part of the problem with it showing 0 bytes.

Let me see what I can figure out

LDTate · May 22, 2012

There are some others that need fixed.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\documents and settings\D600\Local Settings\Application Data\App\xnorqlu.dll
c:\documents and settings\All Users\Start Menu\Programs\Startup\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk
c:\windows\pss\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk
c:\documents and settings\D600\Desktop\Startup\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk
c:\windows\WMVDBAD.dll
c:\windows\udovefifizo.dll

FCopy::
c:\windows\ServicePackFiles\i386\ipsec.sys | c:\windows\system32\drivers\ipsec.sys

ClearJavaCache::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xnorqlu]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^D600^Desktop^Startup^6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akuxejoxodokakej]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hrikixuqot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xnorqlu]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

TheRanger53 · May 22, 2012

Ok that seems to have fixed the connectivity trouble. I will paste the log and see if you see any other problems. Should I go ahead and install mbam?

ComboFix 12-05-22.02 - D600 05/22/2012 4:33.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.225 [GMT -4:00]

Running from: c:\documents and settings\D600\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\D600\Desktop\CFScript.txt

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

FILE ::

"c:\documents and settings\All Users\Start Menu\Programs\Startup\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk"

"c:\documents and settings\D600\Desktop\Startup\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk"

"c:\documents and settings\D600\Local Settings\Application Data\App\xnorqlu.dll"

"c:\windows\pss\6DFE5BE1-F7D0-5C3B-535B-1F2726BBB186.lnk"

"c:\windows\udovefifizo.dll"

"c:\windows\WMVDBAD.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\vbmac37a.sys

.

c:\program files\AVG\AVG2012\avgwdsvc.exe . . . is infected!!

c:\program files\AVG\AVG2012\avgwdsvc.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\windows\System32\WLTRYSVC.EXE . . . is infected!!

c:\windows\System32\WLTRYSVC.EXE . . . was deleted!! You should re-install the program it pertains to

.

--------------- FCopy ---------------

.

c:\windows\ServicePackFiles\i386\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys