Tech Support Forum banner
Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter · #1 · (Edited)
Hi trying to help a friend to remove an Antivirus Pro Install.

Managed to get rid of it, al associated files and trhe system is clean.
Problem is now similar to this guy

http://www.techsupportforum.com/sec...lp-inactive/319809-ie-wont-load-moved-ie.html

Gettin exactly the same error
"Windows cannot connect to the internet using HTTP, HTTPS or FTP. This is probably caused by firewall settings on this computer. Check the firewall settings for the HTTP port (80), HTTPS port(443) and FTP port (21)"

Anyone know how to fix this problem? No browsers and some other net related programs will connect to the net.

While Windows Live Messenger will (latest version as of writing this)

Also tried disabling firewall as the error message in there says it's blocking
stuff but still won't allow the browsers to surf.

I don't have a copy of the Hijackthis log, as it's on that computer and it can't
send me the file. As the computer shows being completely free of this
malware that's pointless anyway and it's only the network settings that are screwed that I need help with.

Thanks :grin:

P.S the computer is running Windows XP SP3, Internet Explorer 7 was being used. Got them to uninstall it and put in IE8 but that didn't fix it either.
(all other software antivirus etc is up to date)
Restore points from before the AntivirusPro won't work either.
All Network properties appear to be set correctly.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi doomed,

I can't guess at what went wrong and where. :smile:

How did you remove the malware? What tools did you use? Did you save any of the reports? I'll need to see them.

I'd also like to see a proper set of diagnostic logs as well. Please follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #3 · (Edited)
I used, (or instructed them to use)

Hijackthis
Avast! Home Edition
Glarys Utilities
manual deletion and editing.

I have no logs as the computer is sitting 3000km away with no net access.
And all logs now come up as being clean anyway from what they tell me with the malware completely removed.

It's just getting the internet going again that I need help with.
As I said the malware is totally zapped.
If I can somehow get them to send me a network diagnostic I'll post it.
For now all I have is the ability to describe the error sorry.

Googling:
"Windows cannot connect to the internet using HTTP, HTTPS or FTP. This is probably caused by firewall settings on this computer. Check the firewall settings for the HTTP port (80), HTTPS port(443) and FTP port (21)"

seems to bring up many similar scenario's with others, but no clear cut fix.
with most saying "use malwarebytes" or other similar programs which from what I gather removes the malware not restores the connection settings.

Thinking that a tcp/ip and firewall reset might be needed.

Been recommended to use a program called Dial-a-fix and XP TCP/IP Repair 2.0

But I know little about these programs and don't want to cause more damage.
really trying to avoid a format and reinstall as it's only the net that is down.

Going to try and get them to do a cmd line reset first and see it that works.

Sorry that's the best I can give you right now.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
You'll find that fixing/removing most of today's malware cannot be done properly/thoroughly with HijackThis. It does not show all the places malware has injected itself, nor do the commercial apps show you this. :sad:

No doubt along with AntiVirus Pro you had a dsnchanger, and my guess is that there is likely still malware on the system that you're not aware of.

Click Start>Run> and copy paste the following text into the Run box, then click OK:

ipconfig /flushdns

------------------------

Next, please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on Properties.

Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

------------------------

If those steps have not resolved the connection issue, download and run WinsockFix.

If you still cannot connect, malware is still onboard somewhere.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #5 ·
ok got the log, and fixed the problem, hijackthis brought up 2 entries to do with proxies that didn't show previously here's the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:58 AM, on 20/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232881455687
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8194 bytes


I got them to remove the 2 "proxy" entries

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;

then got them to clean out their temporary internet folders/files again.

Now IE8 and Yahoo messenger and seemingly all net programs are now working again
I had them resest the TCP/IP and Firewall before this though also.
But it was removing these 2 entries and clearing IE's temp files that fixed it.

Malwarebytes, Glarys Utilities and Avast as well as hijackthis now showe the system to be totally clean.

Thanks for the feed back and hope some of this helps others in the future.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I guarantee you there is more malware on the machine. As I mentioned before, HijackThis is inadequate. If you want to do a thorough job of cleaning this machine, kindly run the tools listed in our pre-posting topic and post the requested logs.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #7 ·
OK have run your tools on the machine, (just because you asked me to) as well as various others, and amazingly "It's CLEAN" as I said. I don't use hijackthis alone or as a way to clean, I use it to highlight various problems, as you are right NO software is fool proof or gets everything, your's included. I posted the hijack this log to highlight the 2 entries that were causing the problem nothing that any of the other tools I was using did. So I think I'll keep using that piece of software in combination with other programs not just by itself. As I had already posted hijackthis was not the only method used.
and I listed the main programs used to run scans not all of them.
Or should I quit using Avast, malwarebytes, glarys utilities etc etc etc as well???

So again the problem IS fixed, and there are NO viruses, malware, spyware etc etc etc on the machine.

I've never had issues with removing bad software from computers the problem here was the leftover results of said bad software e.g lot of the net programs not working.

As I said the computer was thoroughly scanned by more than one method and is now clean, but I thank you for the attempt at helping me, just I managed to do it on my own while waiting for feedback.

And to be honest, in this case Hijackthis picked up everything. So don't think I'll be giving up on it just yet.
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top