Jump to content

Can't access Internet - Firewall Settings? (after cleaning malware)


Recommended Posts

Trying to fix my elderly stepdad's computer:

I just ran MBAM and removed several stubborn hijackers/redirected hosts but I still can't access the internet. I ran the diagnostic test and got this message:

"Windows cannot connect to the Internet using HTTP, HTTPS or FTP. This is probably caused by firewall settings on this computer.

Check the firewall settings for the HTTP port (80), HTTPS port (443) and FTP port (21).

You might need to contact your Internet service provider (ISP) or the manufacturer of your firewall software."

I have tried to turn off the Windows firewall; when I go into the firewall settings I am able to select the turn it off button, but when I go back to the main security screen it still shows as being on.

Any suggestions on how to proceed?

(I recently installed NOD 32 trial version and everything was working fine until latest attacks. I am currently connected to his machine with Log me in, so I know the internet is working, but I don't know why he can't connect to the Internet from his machine.)

Link to post
Share on other sites

Additional info: I guess MBAM didn't get rid of everything. Here's the HiJack This log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 12:54:36 PM, on 10/23/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25433

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com

O1 - Hosts: 69.65.50.147 www.google.com

O1 - Hosts: 69.65.50.147 google.com

O1 - Hosts: 69.65.50.147 google.com.au

O1 - Hosts: 69.65.50.147 www.google.com.au

O1 - Hosts: 69.65.50.147 google.be

O1 - Hosts: 69.65.50.147 www.google.be

O1 - Hosts: 69.65.50.147 google.com.br

O1 - Hosts: 69.65.50.147 www.google.com.br

O1 - Hosts: 69.65.50.147 google.ca

O1 - Hosts: 69.65.50.147 www.google.ca

O1 - Hosts: 69.65.50.147 google.ch

O1 - Hosts: 69.65.50.147 www.google.ch

O1 - Hosts: 69.65.50.147 google.de

O1 - Hosts: 69.65.50.147 www.google.de

O1 - Hosts: 69.65.50.147 google.dk

O1 - Hosts: 69.65.50.147 www.google.dk

O1 - Hosts: 69.65.50.147 google.fr

O1 - Hosts: 69.65.50.147 www.google.fr

O1 - Hosts: 69.65.50.147 google.ie

O1 - Hosts: 69.65.50.147 www.google.ie

O1 - Hosts: 69.65.50.147 google.it

O1 - Hosts: 69.65.50.147 www.google.it

O1 - Hosts: 69.65.50.147 google.co.jp

O1 - Hosts: 69.65.50.147 www.google.co.jp

O1 - Hosts: 69.65.50.147 google.nl

O1 - Hosts: 69.65.50.147 www.google.nl

O1 - Hosts: 69.65.50.147 google.no

O1 - Hosts: 69.65.50.147 www.google.no

O1 - Hosts: 69.65.50.147 google.co.nz

O1 - Hosts: 69.65.50.147 www.google.co.nz

O1 - Hosts: 69.65.50.147 google.pl

O1 - Hosts: 69.65.50.147 www.google.pl

O1 - Hosts: 69.65.50.147 google.se

O1 - Hosts: 69.65.50.147 www.google.se

O1 - Hosts: 69.65.50.147 google.co.uk

O1 - Hosts: 69.65.50.147 www.google.co.uk

O1 - Hosts: 69.65.50.147 google.co.za

O1 - Hosts: 69.65.50.147 www.google.co.za

O1 - Hosts: 69.65.50.147 www.google-analytics.com

O1 - Hosts: 69.65.50.147 www.bing.com

O1 - Hosts: 69.65.50.147 search.yahoo.com

O1 - Hosts: 69.65.50.147 www.search.yahoo.com

O1 - Hosts: 69.65.50.147 uk.search.yahoo.com

O1 - Hosts: 69.65.50.147 ca.search.yahoo.com

O1 - Hosts: 69.65.50.147 de.search.yahoo.com

O1 - Hosts: 69.65.50.147 fr.search.yahoo.com

O1 - Hosts: 69.65.50.147 au.search.yahoo.com

O1 - Hosts: 69.65.50.147 www.youtube.com

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1285969849591

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1286406026593

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shoc...ash/swflash.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 8323 bytes

Trying to fix my elderly stepdad's computer:

I just ran MBAM and removed several stubborn hijackers/redirected hosts but I still can't access the internet. I ran the diagnostic test and got this message:

"Windows cannot connect to the Internet using HTTP, HTTPS or FTP. This is probably caused by firewall settings on this computer.

Check the firewall settings for the HTTP port (80), HTTPS port (443) and FTP port (21).

You might need to contact your Internet service provider (ISP) or the manufacturer of your firewall software."

I have tried to turn off the Windows firewall; when I go into the firewall settings I am able to select the turn it off button, but when I go back to the main security screen it still shows as being on.

Any suggestions on how to proceed?

(I recently installed NOD 32 trial version and everything was working fine until latest attacks. I am currently connected to his machine with Log me in, so I know the internet is working, but I don't know why he can't connect to the Internet from his machine.)

Link to post
Share on other sites

Welcome calcwoman -

Here are some steps to diagnose update issues:

Step 1

Click on this link and let me know what it says. It should be just a 4-digit number in the upper-left corner.

(4930) My result -

Step 2

Please download and run the traceroute utility at this link. It will run a traceroute to our update servers to see if it can find the connection issue, and then it will write it to a log, and open that log in Notepad when it is done. Please either save the log as a Text File and then attach it to a reply, or copy and paste it into a reply, and I will forward it on to our server guy.

Note that it may take several minutes to run, and it may look like it is not doing anything for a few minutes. Normally it takes longer when there are errors that it has to log, but it's rare for it to go more than 10 minutes.

Name: edge.data-cdn.mbamupdates.com

Address: 68.232.45.13

My result in 35 seconds (from Australia)

Step 3

Please download TCPView from Microsoft at this link.

This utility will monitor everything that is accessing the Internet or your local network. All you have to do is run TCPView, and then run Malwarebytes' Anti-Malware and start the update. Watch TCPView to see if mbam.exe shows up in the list. It will be pretty obvious, because it highlights it in green.

I need to know what "Remote Address" Malwarebytes' Anti-Malware is trying to connect to. Once it shows up in the list, you can right-click on the line for mbam.exe, and select 'Copy' in order to paste it into a reply. It will tell me what I need to know. Below is an example of what the line you are looking for will look like inside the following code box:

mbam.exe:3656	TCP	vista-x64:52135	cdn-208-111-168-7.ord.llnw.net:http	ESTABLISHED

All the Diagnostic items will disappear after you use them -

Also can you please use the ADD REPLY Tab at the bottom of the screen , under the Quote tab when you reply -

Thank You -

Welcome to www.getantivirusplusnow.com

This site may harm your computer.

New Site at www.getantivirusplusnow.com. ...

Welcome to www.getantivirusplusnow.com. You Can Find Free Deals and Discounts at Slick Deals

Link to post
Share on other sites

After a fuller read and review of those basic logs it seems that there is some infections present - Please follow the directions below -

Please print out, read and follow What do I do now? , skipping any steps you are unable to complete.

The next step is post a New Topic Here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that

you're alerted when someone has replied to your post - Please allow at least 48 hours for a reply as the experts can get busy at times -

Also add a brief note to the experts as to your problems -

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or via This Link

Always use the ADD REPLY Tab at the bottom of the page when you reply -

Thank You - :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.