Connection Refused to website on 2 computers

Hi, I am newbie to this so be gentle. I followed all your instructions on read this first, and still getting connection refused to various websites such as microsoft.com and private banking sites on using both firefox and IE on two machines. First machine is this (I will post new thread for 2nd machine after this one is fixed)

specs:
Toshiba Satellite Laptop
Windows XP Pro vers 5.1.2600 Svc Pack 2
Intel Pentium 4A 2800 MHz
496 Ram

Anti Virus Protection Norton Internet Security 2005
Microsoft Anti spyware

Problem first started with norton detecting downloader.trojan. Followed NIS steps to remove manually... no longer detected.
ON LINE SCANS:
bitdefender found and deleted trojan.movidl.A
trend micro found java_bytever.b but couldn't get a ticket to work to get it
deleted. Note this is not detected by others. (java version is old and couldn't get new updated version to install, hung on site)

SAFE MODE SCANS:
ccleaner nothing
ad-aware se found and fixed tracking cookies clickbank and testclick
spybot immunized and didn't use teatimer. (I think in this process backweb got altered now getting a runtime error on rebooting that says backweb)
MS antispyware found and fixed adulto.content dialer
cwshredder found and fixed cws.qttasks
kill2me nothing

ALTERNATIVE SCANS:
ewido security found dialer and spyware hotbars, tribalfusionetc

a-squared connected refused
avast! nothing infected
mcafee avert stinger nothing

Did hijack log and followed instructions and fixed:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8080

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -
%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab

O23 - Service: Distributed Link Tracking Service (TrkWksvc) - Unknown owner C:\WINDOWS\system32\TrkWksvc.exe (file missing)

Reran Hijack and line 023 still comes. I then went into the nt services window and deleted it. But still shows on report. When I checked services.msc it is stopped.

Now 3 days later still having connection refused problems at wits end and need to be able to get into my online bill paying and banking services.

Attached find various reports and latest hijack this.

 

This is the second computer's hijack file. It is also experiencing connection refused to website errors.

It is a Dell with Windows XP Svc PK 2, Pentium 698 Mhz, 128 Ram.

Bitdefender and spybot found gain.gator and removed.

Since I've loaded all of these spycatchers and now NIS 2005 it is incredibly slow. I'm also attaching the hijack log and startup log.

There is a canon memory card utility now hanging ion the task bar; which won't close. I bought this computer 2nd hand for my kids, so I think this is some photo management program, which now because of NIS and all other stuff in startup won't get to the close point. I'm trying to unistall it through control panel.

 

hi....didn't know F-secure had downloaded...I thought I was only installing the online scan, and then it didn't work.

I won't uninstall, I tried thru control panel, and the file itself...says "uninstalled failed invalid settings".

I was able to delete line 016 and 023 as described below.

Rebooted and still can't get to microsoft.com and other websites...still connected refused errors.

Also on reboot now getting a symantec runtime svc error and a backweb runtime error application id "447....." didn't catch full number cause went fast.

Help?

 

FYI...I was in our webmail and an alert message came up www.website.com could not be found with an ok button.

This time I closed it using the x button; and was still able to get on the webmail.

I think this is how the virus/trojan works, you click ok and it adds the site to its list.

So question is where is list stored? I looked in the in notepad where suggested, and didn't see the list of addition sites

 

got the two f-secure 023's deleted as instructed.

in safe mode ran hoster, and reset....there were no additional websites listed in that file but reset to original anyway.

Also re ran ccleaner, also did ipconfig /flushdns

rebooted in normal mode and tried microsoft.com and other sites still got connection refused...no joy.

the error I saw earlier was 44476822 so was related to f-secure. It and the symantece error no longer appear.

Iinteresting thing which may or not be relevant ,when hit start programs, don't see hijackthis. Only see this file if I go hit my computer, c:\ then go to programs.

Also, when in program files this way see some files...are these suspicious, or functional files that am only seeing cause no longer hidden?

hiberfil.sys
hpfr550.xml (I opened and think this is an hp printer related file)
io.sys
msdos.sys
iph.ph
ntldr system file
ntdetect.com
pagefile.sys
pdoxusrs.net (filemaker pro 5.5 networking..)
urlcache.log open in notepad and it says SQPStream 1 0
system volume information folder which is empty
boot.ini
which says [boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /forceresetreg /fastdetect /NoExecute=OptIn


are these all legit?

is there any other place where a list is maintained of blocked websites?

thx

 

forgot to ask, how do I disable ftp, telnet etc.?

i do on occasion update my website by ftp...can I then turn it back on at those points or will my program (use hotmetal )automatically enable it for me?

 

I right clicked on the deldomain.ini file and got an hourglass so presumed it ran.

When I went to check internet options privacy sites, still saw the list of spybot blocks, this was prior to reimmunizing. didn't see any of my blocked websites like microsoft.com or easypay.bm.

I also reran it again and did the immunize same thing...still can't get to my sites....
so have no idea where this blocked site list is kept, if not in host file, nor ie options.

attached is my latest hjt log.

 

sorry for the typo I did run that file earlier following your instructions. still not getting access to websites
. is it a winsock problem?

 

In safe mode, ran winsockxpfix.exe downloaded from your website.

reconfig'd my wireless connection.

opened up firefox went to www.microsoft.com wouldn't open, nor other sites

next

did ipconfig /flush dns

reran ccleaner

still got same refused connections to websites.

I'm going crazy now, I need to get my work done and can't access the sites. Please help I'm about to throw this computer in the trash!

 

Chaslang,

Finally figured it out. All three networked computers had started acting weird teh same time. I called my ISP provider relayed all of the stuff you and I had looked at together...which BTW he was very impressed as I'm a newbie.

He said it was also a relief to know where he had to focus instead of replicating my steps. So saved him analysis time.

He came and looked at our D-Link Router 784 to see that our ISP provider had assigned us a connection that ended in 255. Apparently, sophisticated addresses such as microsoft.com deny access to such numbers.

I couldn't get the assignment to change when I rebooted or when I disconnected the PPOE and logged on again. So instead, I restored factory settings, then setup again from scratch. When it connected I had a valid assignent.

Thanks for all of your help and realizing when we had reached our limit. I sure did learn a lot on how on reading HJT files, clearing my cache with CCleaner, flush my dns etc.

Definitely, will refer you to everyone I know having trouble.