trojan Blocks Internet/Email....Need Help!

I'm in desperate need of help, long story short I got a trojan and the next time I restarted I couldn't access websites or Email. Firefox, Avast, and IE didn't work I could do Bittorrnet and Aim, but no Website access. couldn't even access the router setup!

It seems almost random. I could access website all day yesterday, but no email. Then at night I couldn't do either. Now I can check e-mail (via Thunderbird) and websites, but probably not for long!

I've been working on this for 2 days straight:
- NAV 2004 Scans
- AdAware Scans
- Spybot S&D Scans
- HijackThis Scans (new to me)
- checking running services
- checking logs around the time I got trojan and now
- checking msconfig and startup services
- suspicous exe's in the task manager

I can't find anything!!! I've been able to beat many problems before, but this one is bad. What could possible block only website access??

You said what you have tried, but you didn't give the results of anything you listed. Did any of those programs find anything malicious, and if so, what did it say about attempts to remove it?

if these programs found nothing then you likely have nothing - can you do a repair insyall of your O/S ?


blocking web site access could be a DNS issue.

Well, when I first got the trojan, NAV caught and quarentined it, then deleted it. But it was too late. I found another trojan the next morning on another scan. All scans after that found nothing.

I did find some misc cookies with Adaware, and some registry items with Spybot, but the problem is still there. I also ran xcleaner, but it didn't find anything.

If all these programs found nothing, then what is blocking my website/email access? Another twist- I'm behind a netgear router with myself and 2 people. when I can't access websites or router setup, they can. So I know it's something with my computer.

What do you mean it could be a DNS issue? how could I check?

You might want to disable System Restore first (right click My Computer, go to System Restore, and check the box), restart, and then do a full system scan with your antivirus program, and then your spyware programs. Once you do that, reinstall Firefox (hopefully you still have the installation file on your PC, or download it with one of the other PCs on the network), and see if it works again. Then you can work on reinstalling IE.

Post the hijack this log in here. If it is a trojan and not a malware/spyware issue then download TDS-3's trial versian and see if it picks it up. I would also check your hosts file to see if some malware added a bunch of entries which could be blocking you from getting to certain sites. Does ping work? open the run command type cmd<enter> then type ping google.com and copy the output here. then type ipconfig /all and copy that here.


TDS-3: http://tds.diamondcs.com.au/index.php?page=download

Hosts file and how to use it: http://www.mvps.org/winhelp2002/hosts.htm

Same thing happened to me once. I hit alt+ctrl+delete and removed a couple of running proccesses and it worked fine. So then I did a system restore and it was fine. Did you happen to get any errors like you wasn't allowed accessing a page?

First off, thanks for the advice everyone, this is a serious problem.

It's much more than a simple process running in the background, I've look several times. I tried re-installing XP w/SP2, but it didn't help. I can't ping google.com or my router, it just comes up and say 'ping request cound not find host google.com'

I'm typing from a friends computer right now. when I restarted mine, I couldn't access websites again. I disabled the network card all night last night, and enabled it when I woke up this morning. All was fine until I restarted.

I checked my host file, and there was only one line: 127.0.0.1 LocalHost. I'll try and run TDS-3 and see what it says.

I figured someone would ask for the HijackThis Log:

Logfile of HijackThis v1.99.0
Scan saved at 4:07:54 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\ABIT\ABIT uGuru\ABITEQ.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\girder32\Girder.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Tristan\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [ABITEQ] C:\Program Files\ABIT\ABIT uGuru\ABITEQ.exe -M
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O4 - Startup: Girder3.lnk = C:\Program Files\girder32\Girder.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101532674874
O17 - HKLM\System\CCS\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Windows XP FUS Manager - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Where is the copy and paste of the: ipconfig /all command? Have you tried surfing/pinging using the IP instead of the name? here is google's: http://216.239.57.99/
Report back whether using the IP to ping works.

Here is a link to a Hijackthis tutorial: http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm

Update: When I restart in safe mode, all is well. It's just when I start regularly that everything is messed up.

It's hard to copy/paste cause websites doesn't work on this computer, but I'll restart in safe mode again and let you know.

I think we're getting somewhere! If I go into firefox, I can get to google by '216.239.57.99' but- not if I type in 'www.google.com'. I still can't access my router. Here's exactly what happened:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try a
gain.




Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>ping 216.239.57.99

Pinging 216.239.57.99 with 32 bytes of data:

Reply from 216.239.57.99: bytes=32 time=82ms TTL=241
Reply from 216.239.57.99: bytes=32 time=90ms TTL=241
Reply from 216.239.57.99: bytes=32 time=81ms TTL=241
Reply from 216.239.57.99: bytes=32 time=82ms TTL=241

Ping statistics for 216.239.57.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 81ms, Maximum = 90ms, Average = 83ms




Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : bios24
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-50-8D-E3-DF-29
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1

C:\>


So...does this mean that there is something blocking access to my router, and thus it can't look up the DNS Server?

Remove these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1

Click to expand...

Actually, check your TCP/IP properties and make sure that you are set to receive a DNS server automatically first.

I have to assign myself a static IP from the router, because it wouldn't let me setup a dynamic IP. It gives me some weird IP that starts with 169 and a subnet mask of 255.255.0.0, which is obviously wrong.

I tried to delete those 3 lines, they didn't help, and came back the next restart. Do you know exactly what they do?

I did find a line to delete, the first one:
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
I have no idea what this website is, but it was in my hosts file.

On another odd note, I disabled my network card for ~3 hours, and when I enabled it, I could access websites again. What is going on?!

im guessing that
O17 - HKLM\System\CCS\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0675AE39-9BF3-4934-8E8A-3CDD8D2EC495}: NameServer = 192.168.1.1

is making your computer think that you DNS (Domain Name Server) ip address is 192.168.1.1 when in reality 192.168.1.1 im guessing is the ip address to your router. This is why you can go to google by typing in the ip address but you cant go there by typing the name www.google.com because you arent able to access the DNS. What the DNS does for your is convert the name www.google.com into 216.239.57.99. Its much easier for humans to remember names that 4 sets of 3 numbers separated by periods. So in essence when you type in www.google.com it first goes the ip address of your DNS and the DNS converts that name into a ip address like http://216.239.57.99/ then it sends you there. If you ip address of the DNS is messed up then when you type www.google.com it cant find the DNS which converts the name into the ip address and that is why you cant search the internet. I hope i cleared that up for your... what you have to do is
You have to get rid of the above 3 lines.. then

Right Click on Network Places
Left Click on Properties
Right Click on Local Area Connection
Left Click TCP/IP Internet Protocal
Left Click Properties
If you want you can manually type in the DNS IP or obtain it automatically
Hope this helps
Eddie

What router do you have? all routers should allow it to act as a DHCP server..

FIXED IT!!

It ended up being something almost random: Protowall. For anyone not familiar with Protowall it acts as a firewall that blocks certain ranges of IP address that are considered 'bad' (either fake or possible virus, etc) Well- when I looked in Protowall's logs, it kept blocking 192.168.1.1, which was my router!! I'm not exactly sure why Protowall was doing this, but I disabled it, and all is well again.

Thanks a bunch for the input everyone, and consider this thread closed.