[SOLVED] I have a problem...due to malware(?)

[IhateSpyware]

I cannot get an internet connection under Normal Mode even though the connection itself is fine. I was wondering if it was maybe due to an infection of some sort, so I decided to run my Norton anti-virus software. However, Norton would not open under Normal Mode. I rebooted in Safe Mode where the internet works and I was able to run Norton Security Scan (which I downloaded online). Norton found a Trojan horse and deleted it, so I thought all was better. I rebooted to Normal Mode, but the internet still doesn't work and Norton still won't open.

My logs are below and attached. Thank you for your assistance!


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by HP_Owner at 14:14:18.01 on Thu 06/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.196 [GMT -4:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DWABrowserHlprObj Class: {2709d830-b643-4e72-9a1e-701cfffcf30c} - c:\windows\system32\dwabho.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://mail01a.shu.edu/iNotes6W.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156367911062
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c5/v21.129/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - hxxp://community.webshots.com/html/WSPhotoUploader.CAB
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://download.games.yahoo.com/games/web_games/tikgames/pandacraze/gpcontrol.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://mail01a.shu.edu/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://century21.webex.com/client/T23L/training/ieatgpc.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/bin/msnchat45.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\f9mhow7i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\f9mhow7i.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-18 28544]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090518.004\NAVENG.SYS [2009-5-18 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090518.004\NAVEX15.SYS [2009-5-18 876144]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-4 1245064]

=============== Created Last 30 ================

2009-06-18 09:23 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-17 10:21 <DIR> --d----- C:\NSS
2009-06-17 10:00 <DIR> --dsh--- c:\documents and settings\hp_owner\PrivacIE
2009-06-17 09:59 <DIR> --dsh--- c:\documents and settings\hp_owner\IETldCache
2009-06-17 09:57 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-17 09:57 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-17 09:57 <DIR> --d----- c:\windows\ie8updates
2009-06-17 09:55 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-17 09:53 <DIR> -cd-h--- c:\windows\ie8
2009-05-20 19:15 <DIR> --d----- c:\program files\Western Digital

==================== Find3M ====================

2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-01-06 12:49 582 ac------ c:\docume~1\hp_owner\applic~1\wklnhst.dat
2007-04-20 00:20 32 ac---r-- c:\documents and settings\all users\hash.dat

============= FINISH: 14:15:08.14 ===============

[IhateSpyware]

Bump. (72 hours...)

[IhateSpyware]

Bump.....

[tetonbob]

It sounds to me like you have a corrupt install of Norton 360. It might be best to uninstall it, run the Norton Removal Tool, and either reinstall, or move to a different AntiVirus. There are several very good free programs available. If that's what you want to try, let me know, and I'll provide more detail.

I don't see any active infection in the logs.

What exactly did Norton find and remove?

I see in your other thread you mention you ran an online scan. Did it find anything, and did you save a log from that scan?

When you say there's no internet in normal mode, do you mean your browsers don't connect? Or no other applications connect either? Email, iTunes, Google Earth, etc...?

Can you open a command prompt in normal mode? Start > Run > type cmd and press Enter

At the prompt, type

ping google.com and then Press Enter.


Report what it says.

Next, type

ping 74.125.45.100 and then Press Enter.

Report back what it says.

[IhateSpyware]

Well, I got incredibly impatient and took matters into my own hands... I ran msconfig and just unchecked everything in Startup and restarted the computer. After that, the network was working fine and I was able to open Norton and other programs. However, the computer runs extremely slowly. If you say that there's nothing malicious on my computer, then I'm convinced this computer is seeing its final days and is running out of RAM. I tried the cmd prompt for you anyway. Here are the results:

Pinging google.com [74.125.45.100] with 32 bytes of data:

Reply from 74.125.45.100: bytes=32 time=32ms TTL=53
Reply from 74.125.45.100: bytes=32 time=30ms TTL=53
Reply from 74.125.45.100: bytes=32 time=31ms TTL=53
Reply from 74.125.45.100: bytes=32 time=30ms TTL=53

Ping statistics for 74.125.45.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate rount trip times in milli-seconds:
Minimum = 30ms, Maximum = 32ms, Average = 30ms



Pinging 74.125.45.100 with 32 bytes of data:

Reply from 74.125.45.100: bytes=32 time=31ms TTL=53
Reply from 74.125.45.100: bytes=32 time=36ms TTL=53
Reply from 74.125.45.100: bytes=32 time=31ms TTL=53
Reply from 74.125.45.100: bytes=32 time=30ms TTL=53

Ping statistics for 74.125.45.100:
Packets: Sent = 4, Recieved = 4, Lost = 0, (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 30ms, Maximum = 36ms, Average = 32ms




Thanks...

[tetonbob]

Well, if you did the ping tests after "I ran msconfig and just unchecked everything in Startup" that sort of negates the purpose of the test. If Norton is included in those items you've disabled at startup, it still might be the cause.

While I realize it can be frustrating to have a machine acting up, being impatient doesn't help matters when dealing with a troubled computer.

The thing to do to isolate what's causing the blockage is to reenable, one by one, those items you've disabled. Reboot after each item is re-enabled, and test connections. When you've added the one item which causes connection to fail, you've found your cause.

About the RAM...you have the bare minimum for effectively running Windows XP with modern applications, 512MB. Norton 360 is very hungry, and will use much of that available RAM.

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help