Can't get on internet or outlook server

I am running windows xp on my laptop.

outlook having problems connecting to server - sometimes won't, other times just very slow.

internet explorer will only sometimes open, when it does I can only usually navigate a page or two and then it won't open or the page will be blank.

I ran cc cleaner, spybot, and superantispyware. Can't find anything wrong.

Help, Please!!

Also ran a hijack this log that I attached.

 

Hi sartepat,
Welcome to Major Geeks!

Your HJT log shows that your computer is infected. Please go through the instructions in the READ & RUN ME FIRST and attach the requested logs. Since you already ran SuperAntiSpyware, please use that log and don't run it again. You'll find the instructions for it along with the other scans we ask you to do. When we have your logs, we can put together a more complete set of instructions than what is possible with HJT. We try to get as much of an infection out with the first set of instructions as possible, because there's a better success rate that way, but to do this, we need to see all the logs so we know what files to remove.

See if you can get anywhere with that.

Thanks.
abri

 

O.K. Thank you for your help. Here are 3 of the logs. I will send the last one in another post.

 

The MGTools zip files are too big - so they are coming in two attachments

 

this is the last of the MG Zip file logs

 

So Sorry -

My first attachment of files for SuperAntispy, Malwarebytes, and combofix didn't attach.

 

I apologize if I have misread the maximum zip file size as 60 instead of 600 and thought I couldn't send it zipped. But in double checking, I sent the 6 files that were in the c:\Mglogs.zip file. I am reattaching it as the entire zip file.

Thank you.

 

Hi sartepat,

Please do the following:


1) Please disable your guest account if this hasn't already been done.

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 5

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {60428EF3-CEE8-408D-8B16-1A8A5EE9EBE5} - (no file)
O2 - BHO: (no name) - {A58EABB2-C830-48BD-A9CF-CFEDD4EDB1DF} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: jkkll - C:\WINDOWS\system32\jkkll.dll (file missing)
O20 - Winlogon Notify: khfeeeb - khfeeeb.dll (file missing)
O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)


After you click fix, just close hijackthis.


7) Download and install Erunt. Use it to create a backup of your registry.

8) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

Thank you so much for your help. Attached are the logs you requested.

When I was all done, I went to Outlook and I received mail much faster.

Then I went to internet explorer and my home page opened fairly fast. I went to another page with moderate speed. Then I went to your webpage to send this reply, and it wouldn't open so I had to send this from another computer.

I went back to outlook and the send/receive isn't running again either.

Thanks for your continued help -- hopefully we are getting closer.

 

Hi sartepat,

When you removed the malware, your computer worked momentarily, which would make one think the malware was gone and has come back. The fact that your send/receive in Outlook Express worked briefly and now doesn't points at a temporary improvement. If the MGlogs.zip you gave me were run before you tested the internet and Outlook Express, the possibility exists that the files came back and they are simply not in your logs. I'll have you create a new set in the steps below.

Another thing you should know and can easily test is if you still can't get to MajorGeeks from that one computer. Our site's been down a lot lately, so it's possible that the reason you couldn't get to this site from your computer but could from another might have been the coincidence that you switched computers exactly between a down time and an up time.


Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Let me know how things are running now?

abri

 

I have attached a new mglogs. I still can't go on the internet. My home page slowly opened. But anywhere else I try to go either never comes up, comes up blank, or can't be displayed.

The email is working as before, having a very hard time receiving email. If there is no attachment and only a small file, it eventually seems to get through.

Thanks again.

 

Hi sartepat,

What happens if you turn off your Symantec Intrusion Protection? And I'll have more questions later, but let me know about this.

abri

 

It didn't make any difference. Thanks for your continued help.

 

Hi sartepat,

I don't see any evidence for further malware on your computer and am suspecting the problems you're having could be either Norton or Spybot related or possibly a problem with the hardware or software connections to you ISP.

I would like for you to do the following:

Please remove these files, but before you do, please check if there are any timestamps in Windows Explorer for these three entries. Then delete these items (2 files and one folder) and while you're in there, delete anything else from these two temp directories which Windows allows you to delete. Windows will not allow you to delete temp files from the same day. Remember to get the time information first.

C:\Documents and Settings\CP\Local Settings\Temp\
CC58.tmp
tosBtExt

C:\WINDOWS\Temp\
JETE290.tmp

After you get the dates of the above and remove them, please disable Spybot S&D and go to add/remove programs and uninstall Spybot. Then reboot your computer.


[FONT=Microsoft Sans Serif, sans-serif]Reset Web Settings & Default Security Settings[/FONT]

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Then I would like for you to reset your host files:

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• click the Make Writeable? button.
• click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

When you finish removing the temp files and resetting your websettings and hosts files, please reinstall Spybot, update it and click on the immunize button and allow it to immunize. The link for the download is on this page: Windows XP Cleaning Procedure

When you finish the above, please let me know if you were able to get any information about the temp files. Also, if you are still having the same internet problems.



Please note:

Just for information, on the same day as your logs (and also when the above temp files showed up in your log), you also got two text files under WINDOWS with regard to your modems:

C:\WINDOWS\
modeml~1.txt Jun 19 2008 4608 "ModemLog_Conexant HDA D110 MDC V.92 Modem.txt"
modeml~2.txt Jun 19 2008 4492 "ModemLog_Standard 33600 bps Modem.txt"

This also appeared the same day:

C:\Documents and Settings\CP\Desktop\
e-mail.lnk Jan 19 2008 104 "E-mail.lnk

Additionally, you have a program called ModemOnHold (netwaiting.exe) in your running processes.

There are processes in both Spybot and Norton which control your internet browsing.

Let me know how this goes.
abri

 

The tosbExt file was empty and created 6/21/08 7:59:22 pm

The other two files were not there.

The only other thing in temp was cc166.tmp which I deleted.

It still won't open - it half opens and never finishes.

I don't know much about computers other than I can follow your instructions. So I am not really sure the significance or meaning of the note about the modems. Can you explain that to me?

Two things I have noticed that I wonder if they mean anything:

1. Since the time I went to msconfig and set it to "normal startup", I get an apoint.exe error message whenever I start saying it couldn't find the dll. I just click o.k. and it starts up and works fine.

2. I noticed the wireless network connection icon in the icon tray flashes blue. which i think it always did. But when i was watching spybot update, it seemed like there were unusually long flashes off and that the update progressed when it was blue. Should it flash, or should it always be blue? Either way it always said it was connected with an excellent signal strength.

 

Hi sartepat,

Let's see what we can do with msconfig. Go to Start / Run and type in msconfig and click on okay. In the window that opens up, click on diagnostic start up. Then go to the startup tab. In the startup tab, make sure your Symantec antivirus and live updates are checked. Leave anything else that has to do with Symantec unchecked. If there's software for you monitor, make sure this is checked. Click on accept and okay and reboot your computer. Try the internet and see if anything is different.

The notes I listed were just information that there are a number of non-malware items in your computer that have to do with the internet. I will probably have to have you go to the Software Forum and start a new thread where you can get more feedback, but I wanted to go through some routine steps first.

You still have all the software and logs we had you put on your computer. It will help to uninstall some of this. To begin with, please go to add/remove programs and uninstall SuperAntiSpyware.

When you finish the above, let me know if diabling some of the Symantec programs at startup had any effect.

abri

 

in the startup i only have ccApp or osCheck (Norton Internet Security) as any choices relating to symantec -- no antivirus or live update items. So I haven't done anything yet.

 

Hi sartepat,

The thing which is disturbing is that it worked briefly just after we removed some already damaged malware files from your computer. And then it quit working again. I think I will have you run two more scans to see if there is any malware we've missed.

Do you have the same response regardless of which browser you use? (Firefox or Internet Explorer)

Please go to Alternate Scans and download two scans. One is a rootkit scan called GMER and the other is the trial version for an antispyware program called Counterspy. There are links to instructions for each of these. After you run them, please attach the logs.

If neither of these come up with anything, I will go back to my original thought that your Symantec may have corrupted files and need to be reinstalled.
abri

 

I have attached the file for the counterspy. I tried running the gmer twice and half way through windows shuts it down. I looked up instructions for safe mode to try and run it that way, but it says once I restart I press F8 when I see the message "please select the operating system to start". I never see that message, so I don't know how to start in safe mode.

While I was waiting for your last response, I tryed making sure norton was up-to-date (I did this a couple of days ago too - but had a hard time downloading). It did update today, and i don't know if it was coincidence or not, but I got on the internet and went to several pages. Then your message came and I ran those two tools. Now I am back to not getting on.

I don't have firefox installed on the computer.

Thanks for your continued help.

 

Hi sartepat,

There was more in Counterspy than I expected. Please run it again and see if it comes up clean.

Then I would like for you to install Firefox and try it as a browser. It is always good to have two browsers so you have an alternative when you need it. You'll find it at the following link at the very top of the list:

Browsers


I tend again to think that this is a Symantec problem and that the easiest was to find out is to completely deinstall Symantec and then use a free antivirus long enough to test your internet connection. If you feel comfortable trying this and have your activation key so you can reinstall Symantec later, then you can do as follows.

Read through the below instructions so you know the order of things.

First of all I will ask you to go to How to Protect Yourself from Malware and download one of the free resident antivirus programs. (If your internet connection is not working, you can put this onto an external medium like a cd or flash drive and transfer it to your computer. ONLY download the installation program. Don't install it yet. Remember where the installation program is, because you will need it later.

Then I will have you do the following:

First follow the instructions here: Removing Files from Norton Antivirus Quarantine

Then I want you to physically disconnect your computer from the internet, run the following, and then reboot. Then run it again and reboot again Norton Removal Tool (SymNRT)

(Please note that this will remove all Nortons including anything you may have like Ghost or System Works. If you have questions, ask.


After you've completed the above, but before you reconnect to the internet, find the free antivirus program that you have the installation program for and install it.

Reconnect to the internet and allow the new antivirus program to update.

Tell me if your computer is still having the same connection issues.

abri

 

O.K. I thought I was getting somewhere. I started going through your list and got to disabling the internet. I did that, and then realized that I had only downloaded Firefox to the external drive and not installed it. I enabled internet and installed it.

I checked Firefox and it was working and fairly fast - many different sites. For fun, I checked IE and it too was working, but not nearly as fast.

I disabled internet, removed Norton, installed Avast and enabled internet.

Again I could go to both sites - but not as fast as before.

I ran Counterspy again and got nothing. I tried the Gmer again - it worked this time - and I attached its log.

I was hoping to send this from that computer, but I can't get past the home page on firefox or on at all on IE.

Also - when the computer restarted after removing Norton, I get a message:

a program not recognized by CounterSpy, TosBtProc (tostbtproc.exe) is making changes to registry that could add or modify commands that appear on the right-click content menus for certain windows items." I blocked the change.

Hope something here helps!

 

Hi sartepat,

The counterspy warning is about a Toshiba Blue Tooth file.



Please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter Bifrost and post back with the results in this thread (call it regsrch.txt). If it doesn't find anything just tell me.

I would also like for you to run another rootkit scan. Please go to Alternate Scans and download and run TrendMicro's RootkitBuster. Attach the logs when it finishes.

abri

 

No instances of bifrost found

 

Sorry for my delay with this log - missed reading to do it. Thanks.

 

Hi sartepat,

I had chaslang look at your thread and he doesn't think it sounds like malware. He had some questions and suggestions.

His first suggestion is to uninstall all security software to start with. You've already removed Symantec, but I haven't had a chance to check your MGlogs again since then to see if there are any services which are left over. Please go to C:\MGTools\GetLogs.bat and double-click on the file to run it. Attach the MGlogs.zip back here. Then I will ask you to uninstall any remaining security software including your firewall, but not Avast. Leave that running.

Also please check the following:

Are any yellow ! appearing in Device Manager? (to get to the device manager, please go to Start and right-click on My Computer and click on Properties. Then select the hardware tab and click on the device manager button)

How does the user connect to the internet (DSL, cable...etc)? Does he use a router?

Does the samething happen in safe boot mode?

Is this a laptop?

Thanks for answering the above questions and attaching the C:\MGlogs.zip file.

abri

 

Hi Abri,

Attached is the mglogs.zip.

There is a yellow ! at mrtRate.

We connect through cable. Yes there is a wireless router. And this is a Dell laptop.

When you want me to delete security programs, can you elaborate. Do you mean Adaware and Spybot? What about anything you have had me install? And, lastly, I don't know of any firewalls other than Symantec (which I deleted) and windows. Am I supposed to delete the Windows firewall and how would I do that?

Lastly, I can't figure out how to boot up in safe mode. The help screen says to press F8 when I see the screen asking for what system to use. I never get that option and I have tried to press F8 randomly while the screen is still black, but nothing happens - it just opens in windows.

Thanks for your help.

 

Yes the 2 items in the internet protocol are selected. And when I go to the advanced tab in that, it says DHCP enabled. I don't know how to check the router.

Yes the message was successfully added to the registry.

attached is the mglogs.zip.

I still can't get on the internet with Firefox of IE even though it says I am connected. The home page (majorgeeks.com) is actually almost open and I opened it about 4 minutes ago. It is still transferring data. I tried that yesterday and if I waited long enough it would finish and then I could change pages and do the same wait a few times before it just never seemed to finish opening.

 

Yes, there are two. A PC that is wired to the router and a laptop on a wireless connection. Both of them are working with no problems.

The signal strength is excellent.

I have a Local area network that is disabled and a VPN Connection that is disconnected. I tried plugging the cable that goes from the router to the wired computer into the laptop instead and enabling either of those, and it didn't work.

I deleted Counterspy and restarted the computer. I was able to get onto my homepage and a couple of other pages in firefox with moderate speed again. But then it stopped. Still can't even half open a page in IE.

 

I finally got the computer to start in safe mode and yes it acts the same way.

 

Thank you for all your help.

I do have a question for you though: do I leave all the programs you had me install on the computer:

Malwarebytes, superantiSpyware, erunt, gtools, regsrch.zip, fixme.reg ... i think thats it.