Solved Google redirect virus turned worse

October 13, 2011 at 20:15:05
Specs: Windows 7
So a couple weeks ago, I started getting redirected to ad sites whenever I clicked on a google search result. I was able to get around it by clicking my address bar after choosing the result and hitting enter. However, it's gone and messed with my system. Windows Firewall has been broken (impossible to turn on anymore), my internet won't work anymore, and my ArchiCAD program won't start up. None of my antiviral programs could find anything, even ones that I put on from a flashdrive that were meant to work on an already infected system. Since I researched this some, I ran the DDS, and here are my results.

http://uploading.com/files/633b1267...
http://uploading.com/files/cd643a24...


See More: Google redirect virus turned worse

Report •


✔ Best Answer
October 19, 2011 at 07:27:05
J_K,

Thanks for the reports.

Let's see if we can make more progress...

Please run rhe following OTL Script

Double-click OTL.exe to start the program.
Copy/Paste ALL the following text into the Custom Scan/Fixes textbox:

:otl
SRV - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -- (vsmon)
DRV:[b]64bit:[/b] - [2010/05/15 16:30:52 | 000,458,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vsdatant.sys -- (Vsdatant)
:files
C:\windows\SysWow64\vswmi.dll
C:\windows\SysWow64\vsxml.dll
C:\windows\SysNative\drivers\vsdatant.sys
C:\windows\SysWow64\vspubapi.dll
C:\windows\SysWow64\vsdata.dll
C:\windows\SysWow64\ZoneLabs
C:\Program Files (x86)\Zone Labs
C:\windows\SysWow64\vsutil.dll
C:\windows\SysWow64\vsinit.dll
C:\windows\Internet Logs
C:\ProgramData\CheckPoint

Click the Run Fix button at the top.
Click: OK

OTL may ask to reboot the machine. Please do so if asked. If not asked, reboot anyway.

A report should appear in Notepad.

Please Copy/Paste the new OTL report and upload it. Then, provide the link in your next reply.

Now, run the following once again:

Click Start > Run, type: notepad and press Enter.
Once Notepad is open, copy/paste ALL the text below into Notepad:

@echo off
echo.Please wait...
ping localhost >log.txt 2>&1
ping 192.168.1.82 >>log.txt 2>&1
dir /a/b/s c:\qoobox >>log.txt
notepad log.txt

Click: File > Save As...
Save to the Desktop
'File Name', type: fixint2.bat
'Save as type', select 'All files'

Once all of this has been done, click the 'Save' button and exit Notepad.

Now, to run the batch file in Windows 7, right-click 'fixint2.bat' and select: Run as Administrator

Once the batch file has completed running it will close the window automatically.

Please post the log it produces in your reply. If too long, please upload.

Also, see if you can find the log of the first time you ran this batch, fixint.bat, and post it also.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals



#1
October 13, 2011 at 20:34:51
J_Kubiak,

Going to download your reports and take a look at them. From what you describe, the ZeroAccess Rootkit is a good possibility.

Will probably not get back to you until tomorrow, but, in the meantime, please download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

Windows Seven: Right-click the file and select: Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the log produced by 'aswMBR' in your reply. (No need to upload, it is a short report)
This is a shorter report, and you do not need to upload it.

You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, and do not do anything with it.
This is important, just in case we need to have access to the Master Boot Record (MBR) information.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
October 13, 2011 at 20:49:23
Windows 7 64-bit with ZeroAccess Rootkit. DDS.txt shows the culprit.
Bet this is not surprising news for you.

Let's press on...

Do run aswMBR, as requested above.

Now, please do the following running ComboFix first, and TDSSKiller next. If ComboFix does not run, press on to TDSSKiller:


If you have ComboFix (CF) already on your Desktop, please remove it, and download an updated version:
http://download.bleepingcomputer.co...


Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...

Windows 7: Right-click and select: Run as Administrator

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it, as you did previously.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Now, please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...

Execute the file:
Windows 7: Right-click and select: Run as Administrator

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply, by uploading it also.

Need to see the following uploads in your reply:
**The 'ComboFix log'
**The 'TDSSKiller' log

Also need to know whether TDSSKiller needed a reboot!


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#3
October 13, 2011 at 20:50:24
Signing off for tonight.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
October 13, 2011 at 21:25:57
Alright, ran the aswMBR. Didn't expect it to take only a few seconds. Here's my results.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-13 21:16:00
-----------------------------
21:16:00.519 OS Version: Windows x64 6.1.7601 Service Pack 1
21:16:00.520 Number of processors: 2 586 0x170A
21:16:00.521 ComputerName: JOSHUAKUBIAK-PC UserName: Joshua Kubiak
21:16:01.341 Initialize success
21:16:45.722 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:16:45.724 Disk 0 Vendor: ST932032 0001 Size: 305245MB BusType: 3
21:16:45.733 Disk 0 MBR read successfully
21:16:45.736 Disk 0 MBR scan
21:16:45.738 Disk 0 Windows VISTA default MBR code
21:16:45.742 Service scanning
21:16:47.153 Service Vsdatant C:\windows\system32\DRIVERS\vsdatant.sys **LOCKED** 32
21:16:47.722 Modules scanning
21:16:47.726 Disk 0 trace - called modules:
21:16:47.801 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
21:16:47.805 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003029060]
21:16:47.809 3 CLASSPNP.SYS[fffff88001bb743f] -> nt!IofCallDriver -> [0xfffffa800235fbe0]
21:16:47.813 5 ACPI.sys[fffff88000f947a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002d14050]
21:16:47.818 Scan finished successfully
21:17:09.715 Disk 0 MBR has been saved successfully to "C:\Users\Joshua Kubiak\Desktop\MBR.dat"
21:17:09.721 The log file has been saved successfully to "C:\Users\Joshua Kubiak\Desktop\aswMBR.txt"


Going onto ComboFix and TDSSKiller now.


Report •

#5
October 13, 2011 at 22:11:26
Alright, so I ran ComboFix. I hope that what it's done is expected/normal, because whenever I try opening anything, even the windows explorer or notepad, I get a message saying, "Illegal operation attempted on a registry key that has been marked for deletion." I can use Computer to browse through my files, but otherwise every program gives that message. TDSSKiller was able to run fine, but it found nothing. Uploaded the log anyways.

http://uploading.com/files/cb17c9e2...
http://uploading.com/files/438e1922...

Probably not going to be able to check back until about 2:30 P.M. PST.

EDIT: Nevermind about the inability to use programs. I booted it up again today, and everything (aside from ArchiCAD still) runs fine. No internet yet, but my Windows Firewall is fixed, which is a plus.


Report •

#6
October 14, 2011 at 21:42:34
Well, my Windows Defender also works now. The Norton security system that came with my laptop is still disabled, can't even enable it. My laptop says it is connected to the internet, but whenever I try to use any program that requires internet or just a regular browser, I have no connection. I hope that it can be fixed soon, so that I can get back to my project on ArchiCAD.

Report •

#7
October 15, 2011 at 10:10:45
J_Kubiak,

Let's scan the system with a special tool and see if the ZeroAccess RootKit blocked and locked any programs or system files by altering the permissions on them.

Please download Junction.zip:
http://download.sysinternals.com/Fi...

Save it, and unzip it:
Right-click the file and select: Extract all...
Follow the prompts.


Next, place the junction.exe file in the Windows directory (C:\Windows)!! (No need to run the file.)

Go to Start > Run (Windows key > 'R'), and copy/paste the following command in the Open box and click OK:
cmd /c junction -s >log.txt&log.txt

A command window opens and scans the system.

Next, a log file opens in Notepad.

Please copy the contents of the log.txt produced, and post it in your reply.
(No need to upload, unless it is very long.)


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#8
October 15, 2011 at 11:18:02
Okay, ran the Junction. Here's what I got from it.

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

\\?\C:\Users\Joshua Kubiak\Application Data: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming

\\?\C:\Users\Joshua Kubiak\Cookies: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Cookies

\\?\C:\Users\Joshua Kubiak\Local Settings: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Local
Substitute Name: C:\Users\Joshua Kubiak\AppData\Local

\\?\C:\Users\Joshua Kubiak\My Documents: JUNCTION
Print Name : C:\Users\Joshua Kubiak\Documents
Substitute Name: C:\Users\Joshua Kubiak\Documents

\\?\C:\Users\Joshua Kubiak\NetHood: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\C:\Users\Joshua Kubiak\PrintHood: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\C:\Users\Joshua Kubiak\Recent: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Recent

\\?\C:\Users\Joshua Kubiak\SendTo: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\SendTo

\\?\C:\Users\Joshua Kubiak\Start Menu: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\C:\Users\Joshua Kubiak\Templates: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Joshua Kubiak\AppData\Roaming\Microsoft\Windows\Templates

\\?\C:\Users\Joshua Kubiak\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Local
Substitute Name: C:\Users\Joshua Kubiak\AppData\Local

\\?\C:\Users\Joshua Kubiak\AppData\Local\History: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Joshua Kubiak\AppData\Local\Microsoft\Windows\History

\\?\C:\Users\Joshua Kubiak\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Joshua Kubiak\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Joshua Kubiak\AppData\Local\Microsoft\Windows\Temporary Internet Files

...

...

...

...

...

...

...

...

...\\?\C:\Users\Joshua Kubiak\Documents\My Music: JUNCTION
Print Name : C:\Users\Joshua Kubiak\Music
Substitute Name: C:\Users\Joshua Kubiak\Music

\\?\C:\Users\Joshua Kubiak\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Joshua Kubiak\Pictures
Substitute Name: C:\Users\Joshua Kubiak\Pictures

\\?\C:\Users\Joshua Kubiak\Documents\My Videos: JUNCTION
Print Name : C:\Users\Joshua Kubiak\Videos
Substitute Name: C:\Users\Joshua Kubiak\Videos



...

.


Report •

#9
October 15, 2011 at 19:15:34

If, when you try to run ArchiCAD you see a message that states “Windows cannot not access the specified device, path, or file. You may have inappropriate permissions to access the item”, use Inherit.exe to fix inappropriate permissions.

Download [url="http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe"][b]Inherit.exe[/b][/url]


Save it in the C:\Program Files\Graphisoft\ArchiCAD folder, next to archicad.exe.
Once done, drag and drop [b]archicad.exe [/b]into [b]inherit.exe[/b]

Once Inherit completes the permissions changes it makes, a "Finish" popup showing "OK" appears.

Click [b]OK[/b], and attempt to run ArchiCAD once again.


However, if that is not the problem, you may have to reinstall ArchiCAD.

Before you do that, see if you can run the ESET Online Scanner

First, disable your AntiVirus and any AntiSpyware programs while performing the scan. It will preclude conflicts, and will speed up scan time.

If needed, refer to the information available here to temporarily disable these programs:
http://www.bleepingcomputer.com/for...

Since you are using Windows Seven to perform this scan, go to 'Start' button, look for the browser icon, right-click it and select: 'Run as administrator.

In the browser address bar, copy paste the following:

http://www.eset.com/us/online-scanner

Press the ESET Online Scanner button
In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
Allow the ActiveX to download, and click 'Install':
http://www.eset.com/us/online-scann...

Click Start
Make sure that the option Remove found threats is unticked/unchecked
Click Scan, and wait for the scan to finish

If any threats are found, click the 'List of found threats', then click Export to text file...
Save the file to your Desktop as: 'ESET Scan'

Please provide the contents of the ESET Scan in your reply.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#10
October 15, 2011 at 19:56:38
I can't run the ESET Online Scanner as my internet isn't fully functioning. Like I said earlier, I "have" a connection, but it's not really connected. It registers that I am connected, and I can go to the network map and see what other devices are linked to it, but nothing internet related (aside from messaging on Skype) will work. Games, services, browsers, etc. They all register me as offline. ArchiCAD doesn't give me any messages, it just hangs up when I try to open it. I get the loading picture, but at that point it never finishes. And since I'm quite certain that I need an internet connection to register it, I'm probably not going to be able to reinstall it either.

Report •

#11
October 15, 2011 at 21:01:56
Check to see if all devices are working properly:
•Go to Start > right-click My Computer and select: Manage
•In the left pane select Device Manger.
•In the right pane expand Network Adapters.
•Is there any '?' or '!' besides the listed devices?

Can you connect an Ethernet cable directly to the problem computer?

Next, open Network Connections by clicking the Start button > Control Panel. In the search box (upper right), type: adapter
Under 'Network and Sharing Center', click 'View network connections'.

Right-click the connection, and then click Properties.

•Internet Protocol (TCP/IP) should be checked.
•Double click on Internet Protocols (TCP/IP)
•Are: 'Obtain an IP address automatically' and 'Obtain DNS server address automatically'checked?

Please download MiniToolBox:
http://download.bleepingcomputer.co...
Save it to a USB flash drive, and move it to the Desktop of the computer with problems.

Check the following boxes:
[*]Flush DNS
[*]Report IE Proxy Settings
[*]Reset IE Proxy Settings
[*]List IP configuration
[*]List Winsock Entries
[*]List last 10 Event Viewer log

Click Go and post the Result.txt.
(A copy of Result.txt is saved in the same directory as the tool.)

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#12
October 15, 2011 at 22:17:13
Checked the devices, and all are working properly; no ?'s or !'s were beside any of them. The TCP/IP are enabled and Obtain address automatically boxes are checked as well. I did connect it directly with a cable, but I still have the fake connection problem. Not able to use the internet. Ran the MiniToolBox, and here are my results.

http://uploading.com/files/d45c54b4...

I don't think that Hamachi is able to do anything, but in case it is, it's connected to a trusted IP, so you can just ignore it.


Report •

#13
October 16, 2011 at 08:26:12
I_Kubiak,

Please post the Result.txt. right here. For some reason I keep getting an error message from the upload site.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#14
October 16, 2011 at 08:48:03
Disregard the above!

Try the following instead:

1.Click Start, and in Start Search, type: cmd
2.Right-click the cmd entry that appears in the search results, and click: Run as administrator.

3.At the command prompt, type the following, and then press ENTER:
netsh winsock reset

You should see the following message:
Successfully reset the Winsock Catalog. You must restart the computer in order to complete the reset.

4.Restart the computer.

Run the MiniToolBox again.

This time just post the results right here.

Thanks

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#15
October 16, 2011 at 10:18:58
Reset the Catalog, and ran the ToolBox again. I put on FF options as well since I really only use Firefox. Anyways here's what I got; it's quite long.

MiniToolBox by Farbar
Ran by Joshua Kubiak (administrator) on 16-10-2011 at 10:13:43
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Local Area Connection 2" nexthop=5.0.0.1 publish=Yes
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled metric=9000 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : JoshuaKubiak-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
Physical Address. . . . . . . . . : 70-F1-A1-68-A7-90
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ddb7:ce06:c0d6:c6df%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.82(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 16, 2011 10:10:28 AM
Lease Expires . . . . . . . . . . : Monday, October 17, 2011 10:10:25 AM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 309391777
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Atheros AR8152 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : C8-0A-A9-8F-80-95
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hamachi Network Interface
Physical Address. . . . . . . . . : 7A-79-05-AB-FB-3C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d54a:31c4:c677:2c0f%13(Preferred)
IPv4 Address. . . . . . . . . . . : 5.171.251.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Sunday, October 16, 2011 10:10:23 AM
Lease Expires . . . . . . . . . . : Monday, October 15, 2012 10:12:28 AM
Default Gateway . . . . . . . . . : 5.0.0.1
DHCP Server . . . . . . . . . . . : 5.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 427456888
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6598FD74-7589-4EDA-AA91-87A378B3922D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:5ab:fb3c::5ab:fb3c(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:34da:1444:b327:3a68(Preferred)
Link-local IPv6 Address . . . . . : fe80::34da:1444:b327:3a68%12(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.gateway.2wire.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: homeportal
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.224.48
74.125.224.52
74.125.224.51
74.125.224.50
74.125.224.49


Pinging google.com [74.125.224.52] with 32 bytes of data:
Reply from 74.125.224.52: bytes=32 time=42ms TTL=51
Reply from 74.125.224.52: bytes=32 time=37ms TTL=51

Ping statistics for 74.125.224.52:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 37ms, Maximum = 42ms, Average = 39ms
Server: homeportal
Address: 192.168.1.254

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
98.139.180.149
209.191.122.70
67.195.160.76


Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=42ms TTL=54
Reply from 98.137.149.56: bytes=32 time=38ms TTL=54

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 42ms, Average = 40ms

Pinging 127.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
===========================================================================
Interface List
11...70 f1 a1 68 a7 90 ......Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
10...c8 0a a9 8f 80 95 ......Atheros AR8152 PCI-E Fast Ethernet Controller
13...7a 79 05 ab fb 3c ......Hamachi Network Interface
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 5.0.0.1 5.171.251.60 9256
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.82 25
5.0.0.0 255.0.0.0 On-link 5.171.251.60 9256
5.171.251.60 255.255.255.255 On-link 5.171.251.60 9256
5.255.255.255 255.255.255.255 On-link 5.171.251.60 9256
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.82 281
192.168.1.82 255.255.255.255 On-link 192.168.1.82 281
192.168.1.255 255.255.255.255 On-link 192.168.1.82 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 5.171.251.60 9256
224.0.0.0 240.0.0.0 On-link 192.168.1.82 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 5.171.251.60 9256
255.255.255.255 255.255.255.255 On-link 192.168.1.82 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 5.0.0.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:34da:1444:b327:3a68/128
On-link
16 1025 2002::/16 On-link
16 281 2002:5ab:fb3c::5ab:fb3c/128
On-link
13 276 fe80::/64 On-link
11 281 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::34da:1444:b327:3a68/128
On-link
13 276 fe80::d54a:31c4:c677:2c0f/128
On-link
11 281 fe80::ddb7:ce06:c0d6:c6df/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
13 276 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\nwprovau.dll [File Not found] ()
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 08 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 07 mswsock.dll [File Not found] ()
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/16/2011 10:13:27 AM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (10/15/2011 07:54:29 PM) (Source: Application Hang) (User: )
Description: The program ArchiCAD.exe version 15.0.0.3006 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13e8

Start Time: 01cc8baec1e44c55

Termination Time: 64

Application Path: C:\Program Files\Graphisoft\ArchiCAD 15\ArchiCAD.exe

Report Id: 188a4793-f7a2-11e0-8f85-c80aa98f8095

Error: (10/15/2011 11:35:59 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (10/15/2011 11:35:25 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (10/15/2011 10:37:14 AM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (10/14/2011 09:34:52 PM) (Source: Application Hang) (User: )
Description: The program java.exe version 6.0.270.7 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 98c

Start Time: 01cc8af3b9cfa491

Termination Time: 16

Application Path: C:\Program Files (x86)\Java\jre6\bin\java.exe

Report Id: 02db550b-f6e7-11e0-928c-c80aa98f8095

Error: (10/14/2011 09:31:20 PM) (Source: Application Hang) (User: )
Description: The program ArchiCAD.exe version 15.0.0.3006 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 11a8

Start Time: 01cc8af3370b9b66

Termination Time: 85

Application Path: C:\Program Files\Graphisoft\ArchiCAD 15\ArchiCAD.exe

Report Id: 84f36aa8-f6e6-11e0-928c-c80aa98f8095

Error: (10/14/2011 06:31:22 PM) (Source: Application Hang) (User: )
Description: The program ArchiCAD.exe version 15.0.0.3006 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13a4

Start Time: 01cc8ad95b0a317c

Termination Time: 47

Application Path: C:\Program Files\Graphisoft\ArchiCAD 15\ArchiCAD.exe

Report Id: 574cf8be-f6cd-11e0-928c-c80aa98f8095

Error: (10/14/2011 06:03:01 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (10/13/2011 09:16:39 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service


System errors:
=============
Error: (10/16/2011 10:13:15 AM) (Source: Service Control Manager) (User: )
Description: The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:
%%1058

Error: (10/16/2011 10:13:15 AM) (Source: Service Control Manager) (User: )
Description: The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:
%%1058

Error: (10/16/2011 10:13:15 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (10/16/2011 10:11:30 AM) (Source: Service Control Manager) (User: )
Description: The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:
%%1058

Error: (10/16/2011 10:11:30 AM) (Source: Service Control Manager) (User: )
Description: The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:
%%1058

Error: (10/16/2011 10:11:30 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (10/16/2011 10:11:20 AM) (Source: Service Control Manager) (User: )
Description: The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:
%%1058

Error: (10/16/2011 10:11:20 AM) (Source: Service Control Manager) (User: )
Description: The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:
%%1058

Error: (10/16/2011 10:11:20 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (10/16/2011 10:11:19 AM) (Source: Service Control Manager) (User: )
Description: The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:
%%1058


Microsoft Office Sessions:
=========================

**** End of log ****


Report •

#16
October 16, 2011 at 13:44:11
Have to take a look at a Registry key.

Please make an export of the following key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]


Open Registry Editor as follows:
Click Start, and in Start Search, type: regedit
Right-click the regedit entry that appears in the search results, and click: Run as administrator
Click: Yes

In Registry Editor go to File (upper left), and click: Export
In the prompt that appears...
Save in: Desktop
File name: expreg

Under Export range (at the bottom):
Click: Selected branch
Then, copy/paste the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5

Click: Save

Now, go to the Desktop, and right click the expreg file
Select: Open
Notepad contains the info we need.

Please post the contents of 'expreg' in your reply. If too large, please upload it.

Note: Please do not do anything else with this file.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#17
October 16, 2011 at 13:59:34
The Megauploads website just gives me errors.

Please go to the Uploading website instead:
http://uploading.com/files/upload/
In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the reg export file, and click on 'Open'

You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#18
October 16, 2011 at 14:05:39
Here we go. Followed your instructions, and got the info. I don't think it's large enough to warrant an upload:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
"Num_Catalog_Entries"=dword:00000004
"Serial_Access_Num"=dword:00000005
"Num_Catalog_Entries64"=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="Tcpip"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="NLA-navneområde (Network Location Awareness)"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="%SystemRoot%\\System32\\nwprovau.dll"
"DisplayString"="NWLink IPX/SPX/NetBIOS Compatible Transport Protocol"
"ProviderId"=hex:f0,aa,2d,e0,9f,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:00000001
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000007]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005]
"LibraryPath"="C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006]
"LibraryPath"="C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000007]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:


Report •

#19
October 16, 2011 at 17:19:55
Please do the following:

Launch Notepad, (Start > Search box, type in: notepad)

Copy/paste ALL the text below to it, including the title:

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
"Num_Catalog_Entries"=dword:00000007
"Serial_Access_Num"=dword:00000005
"Num_Catalog_Entries64"=dword:00000008

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"StoresServiceClassInfo"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\NLAapi.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000007]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001]
"LibraryPath"="%SystemRoot%\\system32\\NLAapi.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000007]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"

In Notepad, go to 'File' (upper menu bar), and select: Save as

In the 'Save As' prompt:
Save in: Desktop
File Name: wnsck.reg
Save as Type: All files
Click: Save

Exit out of Notepad.


Back on the Desktop, double-click on the wnsck.reg file just saved, and agree when asked to merge the information into the Registry.

Now, restart the computer.

Run MiniToolBox
Only check the following:
-List Winsock Entries
-List IP configuration

Post the results right here.

Check out the connection, and post on how the Internet is doing.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#20
October 16, 2011 at 21:54:27
Copied, saved, and merged. This thing is tricky; internet still refuses to work. Results are as follows:

MiniToolBox by Farbar
Ran by Joshua Kubiak (administrator) on 16-10-2011 at 21:49:40
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************
========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Local Area Connection 2" nexthop=5.0.0.1 publish=Yes
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled metric=9000 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : JoshuaKubiak-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
Physical Address. . . . . . . . . : 70-F1-A1-68-A7-90
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ddb7:ce06:c0d6:c6df%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.82(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 16, 2011 9:39:35 PM
Lease Expires . . . . . . . . . . : Monday, October 17, 2011 9:39:35 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 309391777
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Atheros AR8152 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : C8-0A-A9-8F-80-95
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hamachi Network Interface
Physical Address. . . . . . . . . : 7A-79-05-AB-FB-3C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d54a:31c4:c677:2c0f%13(Preferred)
IPv4 Address. . . . . . . . . . . : 5.171.251.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Sunday, October 16, 2011 9:39:30 PM
Lease Expires . . . . . . . . . . : Monday, October 15, 2012 9:41:36 PM
Default Gateway . . . . . . . . . : 5.0.0.1
DHCP Server . . . . . . . . . . . : 5.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 427456888
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6598FD74-7589-4EDA-AA91-87A378B3922D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:5ab:fb3c::5ab:fb3c(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:34da:1444:b327:3a68(Preferred)
Link-local IPv6 Address . . . . . : fe80::34da:1444:b327:3a68%12(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.gateway.2wire.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: homeportal
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.224.51
74.125.224.48
74.125.224.52
74.125.224.49
74.125.224.50


Pinging google.com [74.125.224.51] with 32 bytes of data:
Reply from 74.125.224.51: bytes=32 time=42ms TTL=51
Reply from 74.125.224.51: bytes=32 time=36ms TTL=51

Ping statistics for 74.125.224.51:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 36ms, Maximum = 42ms, Average = 39ms
Server: homeportal
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
72.30.2.43
98.137.149.56
98.139.180.149


Pinging yahoo.com [98.139.180.149] with 32 bytes of data:
Reply from 98.139.180.149: bytes=32 time=131ms TTL=43
Reply from 98.139.180.149: bytes=32 time=114ms TTL=43

Ping statistics for 98.139.180.149:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 114ms, Maximum = 131ms, Average = 122ms

Pinging 127.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
===========================================================================
Interface List
11...70 f1 a1 68 a7 90 ......Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
10...c8 0a a9 8f 80 95 ......Atheros AR8152 PCI-E Fast Ethernet Controller
13...7a 79 05 ab fb 3c ......Hamachi Network Interface
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 5.0.0.1 5.171.251.60 9256
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.82 30
5.0.0.0 255.0.0.0 On-link 5.171.251.60 9256
5.171.251.60 255.255.255.255 On-link 5.171.251.60 9256
5.255.255.255 255.255.255.255 On-link 5.171.251.60 9256
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.82 286
192.168.1.82 255.255.255.255 On-link 192.168.1.82 286
192.168.1.255 255.255.255.255 On-link 192.168.1.82 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 5.171.251.60 9256
224.0.0.0 240.0.0.0 On-link 192.168.1.82 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 5.171.251.60 9256
255.255.255.255 255.255.255.255 On-link 192.168.1.82 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 5.0.0.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:34da:1444:b327:3a68/128
On-link
16 1025 2002::/16 On-link
16 281 2002:5ab:fb3c::5ab:fb3c/128
On-link
13 276 fe80::/64 On-link
11 286 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::34da:1444:b327:3a68/128
On-link
13 276 fe80::d54a:31c4:c677:2c0f/128
On-link
11 286 fe80::ddb7:ce06:c0d6:c6df/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
13 276 ff00::/8 On-link
11 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 04 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

**** End of log ****


Report •

#21
October 17, 2011 at 03:29:00
Worked perfectly – thank you so much!!

http://www.easyfixvirus.com/how-to-...


Report •

#22
October 17, 2011 at 06:26:19
J_Kubiak,

Actually, there is Internet connection with the server, and there is successful connection to google.com and yahoo.com.
However, the TCP/IP stack is damaged.

Please apply the following commands from an elevated command prompt:
Start > Search box > type in: cmd.exe

Copy/paste one at a time:

netsh int ip reset

netsh winsock reset


Reboot.


Make sure the system is wired connected to the router.

Also make sure TCP/IP settings are set to automatic for both the wireless and wired adapter:
http://windows.microsoft.com/en-US/...

Reboot again for any changes to take place.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#23
October 17, 2011 at 07:48:58
Also, if still no-go, restart the computer in Safe Mode with Networking
(Tap F8 as the PC restatrs, select SMwN from the Boot Options menu)

See if you can connect to the Internet going that route.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#24
October 17, 2011 at 14:53:52
I followed your instructions, but I still can't get it fully connected. I typed in the commands, made sure both were set to automatic, shut it down, plugged in the cable, turned it back on, let it fully load, and rebooted again. Opened my connections list just to make sure the cable wasn't loose or anything. Clicked on the connection types, and IPv4 Connectivity says: Internet, while IPv6 says: No Internet access. Safe mode didn't work either; just said that I had limited connectivity, even with the cable. I don't suppose that I can download the files to repair them, or a program that will fix them? Also, I ran MiniToolBox again with just IP enabled, in case you wanted to see what/if anything has changed.

MiniToolBox by Farbar
Ran by Joshua Kubiak (administrator) on 17-10-2011 at 14:49:14
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************
========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : JoshuaKubiak-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
Physical Address. . . . . . . . . : 70-F1-A1-68-A7-90
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ddb7:ce06:c0d6:c6df%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.82(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 17, 2011 2:46:09 PM
Lease Expires . . . . . . . . . . : Tuesday, October 18, 2011 2:46:08 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 309391777
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Atheros AR8152 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : C8-0A-A9-8F-80-95
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::99cb:c1cb:80e2:ef47%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.85(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 17, 2011 2:46:15 PM
Lease Expires . . . . . . . . . . : Tuesday, October 18, 2011 2:46:14 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 247990953
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hamachi Network Interface
Physical Address. . . . . . . . . : 7A-79-05-AB-FB-3C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d54a:31c4:c677:2c0f%13(Preferred)
IPv4 Address. . . . . . . . . . . : 5.171.251.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Monday, October 17, 2011 2:46:04 PM
Lease Expires . . . . . . . . . . : Tuesday, October 16, 2012 2:48:10 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 5.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 427456888
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6598FD74-7589-4EDA-AA91-87A378B3922D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:5ab:fb3c::5ab:fb3c(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.gateway.2wire.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: homeportal
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.224.50
74.125.224.48
74.125.224.51
74.125.224.49
74.125.224.52


Pinging google.com [74.125.224.80] with 32 bytes of data:
Reply from 74.125.224.80: bytes=32 time=44ms TTL=51
Reply from 74.125.224.80: bytes=32 time=37ms TTL=51

Ping statistics for 74.125.224.80:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 37ms, Maximum = 44ms, Average = 40ms
Server: homeportal
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
72.30.2.43
98.137.149.56
98.139.180.149


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=77ms TTL=54
Reply from 209.191.122.70: bytes=32 time=70ms TTL=54

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 70ms, Maximum = 77ms, Average = 73ms

Pinging 127.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
===========================================================================
Interface List
11...70 f1 a1 68 a7 90 ......Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
10...c8 0a a9 8f 80 95 ......Atheros AR8152 PCI-E Fast Ethernet Controller
13...7a 79 05 ab fb 3c ......Hamachi Network Interface
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.82 25
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.85 20
5.0.0.0 255.0.0.0 On-link 5.171.251.60 276
5.171.251.60 255.255.255.255 On-link 5.171.251.60 276
5.255.255.255 255.255.255.255 On-link 5.171.251.60 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.82 281
192.168.1.0 255.255.255.0 On-link 192.168.1.85 276
192.168.1.82 255.255.255.255 On-link 192.168.1.82 281
192.168.1.85 255.255.255.255 On-link 192.168.1.85 276
192.168.1.255 255.255.255.255 On-link 192.168.1.82 281
192.168.1.255 255.255.255.255 On-link 192.168.1.85 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 5.171.251.60 276
224.0.0.0 240.0.0.0 On-link 192.168.1.82 281
224.0.0.0 240.0.0.0 On-link 192.168.1.85 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 5.171.251.60 276
255.255.255.255 255.255.255.255 On-link 192.168.1.82 281
255.255.255.255 255.255.255.255 On-link 192.168.1.85 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
16 1025 2002::/16 On-link
16 281 2002:5ab:fb3c::5ab:fb3c/128
On-link
13 276 fe80::/64 On-link
11 281 fe80::/64 On-link
10 276 fe80::/64 On-link
10 276 fe80::99cb:c1cb:80e2:ef47/128
On-link
13 276 fe80::d54a:31c4:c677:2c0f/128
On-link
11 281 fe80::ddb7:ce06:c0d6:c6df/128
On-link
1 306 ff00::/8 On-link
13 276 ff00::/8 On-link
11 281 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

**** End of log ****


Report •

#25
October 17, 2011 at 15:30:32
J_K,

Try uninstalling Norton Internet Security.
We need to make sure its firewall is not the culprit!

Then, apply the following commands from an elevated command prompt:

Start > Search box > type in: cmd.exe
Right-click cmd, and select: Run as Administrator

Copy/paste one at a time:

netsh int ip reset

netsh winsock reset

Exit the command prompt,

Reboot, and test the connection..

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#26
October 17, 2011 at 16:58:42
Uninstalled Norton; bit of a pain to get rid of, because neither the provided uninstall program nor the direct uninstall from the control panel would get rid of it; had to google the Norton Remover and put it on a flash drive to get it removed. Anyways, ran the prompt, input the commands, and rebooted. Slightly promising results this time; Adobe informed me of a Flash Player update, and gave me an option to install it, but then when I attempted to do so, it had no connection. It looks like I might be getting a second or two when I first load up, but then it fails again.

Report •

#27
October 17, 2011 at 18:19:50
Let's try the following, it is an extended Registry merge from what you did before:


Step 1:
Launch Notepad once again, (Start > Search box, type in: notepad)

Copy/paste ALL the text below to it, including the title:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
"Num_Catalog_Entries"=dword:00000008
"Serial_Access_Num"=dword:00000005
"Num_Catalog_Entries64"=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="%SystemRoot%\\system32\\NLAapi.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000007]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

In Notepad, go to 'File' (upper menu bar), and select: Save as

In the 'Save As' prompt:
Save in: Desktop
File Name: wnsck2.reg
Save as Type: All files
Click: Save

Exit out of Notepad.


Back on the Desktop, double-click on the wnsck2.reg file just saved, and agree when asked to merge the information into the Registry.

Now, restart the computer.

Step 2:
If the issue continues, once again apply the following commands from an elevated command prompt:
Start > Search box > type in: cmd.exe
Rikght-click 'cmd', and select: Run as Administrator

Copy/paste one at a time:

netsh int ip reset
netsh winsock reset

Exit from the prompt.

Restart the computer.

Step 3:
Consult the following info once again Change TCP/IP Settings
to make sure these are set correctly: Wireless LAN adapter Wireless Network Connection and
Ethernet adapter Local Area Connection to obtain IP and DNS automatically:
http://windows.microsoft.com/en-US/...

Restart the computer, and check out the connection.

Step 4:
Run MiniToolBox
Only check the following:
-List Winsock Entries
-List IP configuration

Post the results right here.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#28
October 17, 2011 at 19:05:25
Merged successfully and rebooted; no change. Checked the TCP/IP settings before and after inputting reset commands. Both set on auto obtain. Do you think removing my current internet address from my system and re-entering it might do any good? Anyways, here's the MTB results (what IP is this? I don't think it's the Hamachi address)
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),:

MiniToolBox by Farbar
Ran by Joshua Kubiak (administrator) on 17-10-2011 at 18:57:00
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************
========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : JoshuaKubiak-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
Physical Address. . . . . . . . . : 70-F1-A1-68-A7-90
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ddb7:ce06:c0d6:c6df%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.82(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 17, 2011 6:56:06 PM
Lease Expires . . . . . . . . . . : Tuesday, October 18, 2011 6:56:05 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 309391777
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Atheros AR8152 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : C8-0A-A9-8F-80-95
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::99cb:c1cb:80e2:ef47%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.85(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 17, 2011 6:56:15 PM
Lease Expires . . . . . . . . . . : Tuesday, October 18, 2011 6:56:14 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 247990953
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hamachi Network Interface
Physical Address. . . . . . . . . : 7A-79-05-AB-FB-3C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d54a:31c4:c677:2c0f%13(Preferred)
IPv4 Address. . . . . . . . . . . : 5.171.251.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Monday, October 17, 2011 6:56:04 PM
Lease Expires . . . . . . . . . . : Monday, October 17, 2011 7:00:18 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 5.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 427456888
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DF-7A-B4-C8-0A-A9-8F-80-95
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6598FD74-7589-4EDA-AA91-87A378B3922D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:5ab:fb3c::5ab:fb3c(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.gateway.2wire.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: homeportal
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.224.145
74.125.224.148
74.125.224.147
74.125.224.146
74.125.224.144


Pinging google.com [74.125.224.148] with 32 bytes of data:
Reply from 74.125.224.148: bytes=32 time=40ms TTL=51
Reply from 74.125.224.148: bytes=32 time=36ms TTL=51

Ping statistics for 74.125.224.148:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 36ms, Maximum = 40ms, Average = 38ms
Server: homeportal
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
72.30.2.43
98.137.149.56
98.139.180.149


Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=43ms TTL=55
Reply from 72.30.2.43: bytes=32 time=37ms TTL=55

Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 37ms, Maximum = 43ms, Average = 40ms

Pinging 127.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
===========================================================================
Interface List
11...70 f1 a1 68 a7 90 ......Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
10...c8 0a a9 8f 80 95 ......Atheros AR8152 PCI-E Fast Ethernet Controller
13...7a 79 05 ab fb 3c ......Hamachi Network Interface
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.82 26
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.85 20
5.0.0.0 255.0.0.0 On-link 5.171.251.60 276
5.171.251.60 255.255.255.255 On-link 5.171.251.60 276
5.255.255.255 255.255.255.255 On-link 5.171.251.60 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.82 281
192.168.1.0 255.255.255.0 On-link 192.168.1.85 276
192.168.1.82 255.255.255.255 On-link 192.168.1.82 281
192.168.1.85 255.255.255.255 On-link 192.168.1.85 276
192.168.1.255 255.255.255.255 On-link 192.168.1.82 281
192.168.1.255 255.255.255.255 On-link 192.168.1.85 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 5.171.251.60 276
224.0.0.0 240.0.0.0 On-link 192.168.1.82 281
224.0.0.0 240.0.0.0 On-link 192.168.1.85 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 5.171.251.60 276
255.255.255.255 255.255.255.255 On-link 192.168.1.82 281
255.255.255.255 255.255.255.255 On-link 192.168.1.85 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
16 1025 2002::/16 On-link
16 281 2002:5ab:fb3c::5ab:fb3c/128
On-link
13 276 fe80::/64 On-link
11 281 fe80::/64 On-link
10 276 fe80::/64 On-link
10 276 fe80::99cb:c1cb:80e2:ef47/128
On-link
13 276 fe80::d54a:31c4:c677:2c0f/128
On-link
11 281 fe80::ddb7:ce06:c0d6:c6df/128
On-link
1 306 ff00::/8 On-link
13 276 ff00::/8 On-link
11 281 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

**** End of log ****


Report •

#29
October 18, 2011 at 05:17:22
Hi aaflac44, I see you have tried a lot of combinations, have not read all, but you may get some value out of this info by using it to suit your methods.

I solved a similar issue about a year ago, the link below was helpful in guiding me, I did it as per below.

Vista & Windows 7 DNS Cache: Flush, Clear, or Reset
http://www.tech-recipes.com/rx/1600...
Go into your IP settings and turn off IPV6.
IPV4 should be on.
Click on the IPV4 properties and Advanced settings.
Remove the check mark beside "Enable LMHOSTS lookup" on the WINS tab and check "Disable NetBIOS over TCP/IP"

http://www.trainsignal.com/blog/win...


Report •

#30
October 18, 2011 at 09:11:04
J_K,

Go for it, J_Kubiak, and follow Johnw's suggestions, and then check the connection.

If still no-go, we need to rule out more possibilities...


To answer your previous question on 127.0.0.1 (what IP is this) question, it is the IP address reserved for the localhost, or the computer.


Also, is this your computer or a work computer?


Please make sure the Windows firewall is disabled. Would presume it is.

Let's press on...

Step 1:
Go to Start > Right-click 'Computer' and select: 'Manage' > Select 'Device Manager' > Expand: 'Network Adapters'
Right-click on the following one by one and select 'Disable':

Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
Atheros AR8152 PCI-E Fast Ethernet Controller

Then, enable them one by one.


Step 2:
Next, run the following batch file.

Click Start > Run, type: notepad and press Enter.

Once Notepad is open, copy/paste ALL the text below into Notepad:

@echo off
echo.Please wait...
ping localhost >log.txt 2>&1
ping 192.168.1.82 >>log.txt 2>&1
dir /a/b/s c:\qoobox >>log.txt
notepad log.txt


Click: File > Save As...
Save to the Desktop
'File Name', type: fixint.bat
'Save as type', select 'All files'

Once all of this has been done, click the 'Save' button and exit Notepad.

Now, to run the batch file in Windows 7, right-click 'fixint.bat' and select: Run as Administrator

Once the batch file has completed running it will close the window automatically.


Step 3:
Now, open Internet Explorer. Press on "Diagnose Network Problems" and post the result.


Step 4:
Follow the instruction here to troubleshoot:
http://www.7tutorials.com/how-troub...

Let us know how it goes, and if you get any error.


Step 5:
Please download the latest version of OTL from
http://oldtimer.geekstogo.com/OTL.exe

Save to the Desktop

Double click on the 'OTL' icon on your Desktop.
Check: 'Scan All Users'
Check the 'Standard Output'
-Set Services to All
-Set Drivers to All
Click the Run Scan button.

When done, two reports open:
OTL.txt
Extra.txt: is minimized to the TaskBar

Please provide only the OTL.txt in your reply. You will need to upload this report!!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#31
October 18, 2011 at 15:06:14
Partial success! I'm not sure whether it was John's solution or part of yours, but when I started on Step 3 and opened IE, I actually loaded the webpage, and can visit other sites. Posting from my laptop. Anyways, the rest of the system can't use internet, so there's still something corrupted or faulty. However, I can at least do a few more things, possibly run some better scans. I'm going to continue as best as can, since I doubt I can do Step 3 if the connection works. Also, this is a personal machine, not for work.

Report •

#32
October 18, 2011 at 15:12:06
J_Kubiak, I did edit my post, was'nt happy with the the wording, here is the edit.

Remove the check mark beside "Enable LMHOSTS lookup" on the WINS tab and check "Disable NetBIOS over TCP/IP"


Report •

#33
October 18, 2011 at 15:45:37
Yeah, I was a bit confused on that part, so I tried it on both; it's on disable right now. Anyways, here's my OTL results:

http://uploading.com/files/b2am3dfe...


Report •

#34
October 18, 2011 at 16:01:41
"I was a bit confused on that part"

Sorry about that, it's now morning in Western Australia, a look at ones wording when fresh, makes a big difference.

Should have also mentioned doing a reboot after the changes.


Report •

#35
October 18, 2011 at 16:38:45
Yeah, I figured that rebooting would be necessary, since that's what I had to do pretty much everytime aaflac told me to change some settings.

Report •

#36
October 18, 2011 at 19:02:02
Thanks for the info, J_K.

"I'm not sure whether it was John's solution or part of yours..."
It really does not matter, we are both working towards a common goal.


"Posting from my laptop."
The laptop IS the machine with the problems, right?


"the rest of the system can't use Internet..."
Do you mean, if you run a program, and it needs to access the Internet, it does not happen? If not, please explain further.


"I can at least do a few more things, possibly run some better scans..."
If at all possible, please refrain from running other scans. It may just make things worse. If it comes to a point where we run out of ideas, we'll let you know, or refer you elsewhere.


"I doubt I can do Step 3 if the connection works..."
Would press on and do Step 3 and Step 4. You are saying the connection works, but not entirely!!

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#37
October 18, 2011 at 20:34:37
Alright, it's probably your solution, because I re-enabled the IPV6 adapter and undid the settings changes I enacted on IPV4, and IE still gets connection. So yes, my laptop is the machine with the problems; and I can browse internet explorer, go to any web page, but if I try running say, a game I installed, it registers me as offline, or with no connection. I simply cannot do Step #3; I open up tools, and Diagnose Connection Problems is greyed out. And I tried Step #4, but it couldn't find any problems.

Report •

#38
October 18, 2011 at 20:56:49
"and I can browse internet explorer"
Try your Firefox browser, I use Pale Moon as my default browser, also have Firefox installed.

Pale Moon
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.palemoon.org/download-ng...
http://www.palemoon.org/technical.html
http://www.palemoon.org/troubleshoo...
Pale Moon Portable
http://www.softpedia.com/get/PORTAB...


Report •

#39
October 18, 2011 at 22:02:37
Forgot to mention Firefox won't work. But anyways, downloaded Pale Moon, installed, opened up: no connection.

Report •

#40
October 19, 2011 at 07:13:44
J_Kubiak, give this a try.

Fix Persistent Network Problems by Resetting TCP/IP in Windows 7 [How To]
http://mintywhite.com/windows-7/7ma...
Therefore in order to manually reset your TCP/IP in Windows 7 you have to:
Open an elevated Command prompt (Right Click CMD.EXE and choose Run as administrator)
Type one of the following:
netsh interface ipv4 reset
netsh interface ipv6 reset
Restart your Computer.


Report •

#41
October 19, 2011 at 07:27:05
✔ Best Answer
J_K,

Thanks for the reports.

Let's see if we can make more progress...

Please run rhe following OTL Script

Double-click OTL.exe to start the program.
Copy/Paste ALL the following text into the Custom Scan/Fixes textbox:

:otl
SRV - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -- (vsmon)
DRV:[b]64bit:[/b] - [2010/05/15 16:30:52 | 000,458,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vsdatant.sys -- (Vsdatant)
:files
C:\windows\SysWow64\vswmi.dll
C:\windows\SysWow64\vsxml.dll
C:\windows\SysNative\drivers\vsdatant.sys
C:\windows\SysWow64\vspubapi.dll
C:\windows\SysWow64\vsdata.dll
C:\windows\SysWow64\ZoneLabs
C:\Program Files (x86)\Zone Labs
C:\windows\SysWow64\vsutil.dll
C:\windows\SysWow64\vsinit.dll
C:\windows\Internet Logs
C:\ProgramData\CheckPoint

Click the Run Fix button at the top.
Click: OK

OTL may ask to reboot the machine. Please do so if asked. If not asked, reboot anyway.

A report should appear in Notepad.

Please Copy/Paste the new OTL report and upload it. Then, provide the link in your next reply.

Now, run the following once again:

Click Start > Run, type: notepad and press Enter.
Once Notepad is open, copy/paste ALL the text below into Notepad:

@echo off
echo.Please wait...
ping localhost >log.txt 2>&1
ping 192.168.1.82 >>log.txt 2>&1
dir /a/b/s c:\qoobox >>log.txt
notepad log.txt

Click: File > Save As...
Save to the Desktop
'File Name', type: fixint2.bat
'Save as type', select 'All files'

Once all of this has been done, click the 'Save' button and exit Notepad.

Now, to run the batch file in Windows 7, right-click 'fixint2.bat' and select: Run as Administrator

Once the batch file has completed running it will close the window automatically.

Please post the log it produces in your reply. If too long, please upload.

Also, see if you can find the log of the first time you ran this batch, fixint.bat, and post it also.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#42
October 19, 2011 at 15:10:46
Alright! My internet is now almost fully functioning! Just about all of my programs work with internet now. Skype can connect to home, my games connect, albeit missing a couple minor features such as playerlists ingame, and my firefox works again. There's probably a couple small things to clean up, since OTL said a couple things failed to move, but it's back to 90% working capacity again. I ran your fix first aaflac, just so that John's didn't somehow affect the results. Didn't need to run yours by the way, but thanks for helping me John. Also, do you still want me to run that fixint file, or move on to a final cleanup? Anyways, OTL results:

========== OTL ==========
Error: Unable to stop service vsmon!
Unable to delete service\driver key vsmon.
C:\Windows\SysWOW64\ZoneLabs\vsmon.exe moved successfully.
Error: Unable to stop service Vsdatant!
Unable to delete service\driver key Vsdatant.
File move failed. C:\Windows\SysNative\drivers\vsdatant.sys scheduled to be moved on reboot.
========== FILES ==========
C:\windows\SysWow64\vswmi.dll moved successfully.
C:\windows\SysWow64\vsxml.dll moved successfully.
File move failed. C:\windows\SysNative\drivers\vsdatant.sys scheduled to be moved on reboot.
C:\windows\SysWow64\vspubapi.dll moved successfully.
C:\windows\SysWow64\vsdata.dll moved successfully.
C:\windows\SysWow64\ZoneLabs\lib\pyd folder moved successfully.
C:\windows\SysWow64\ZoneLabs\lib folder moved successfully.
C:\windows\SysWow64\ZoneLabs folder moved successfully.
C:\Program Files (x86)\Zone Labs\ZoneAlarm\repair folder moved successfully.
C:\Program Files (x86)\Zone Labs\ZoneAlarm\Diagnostics\cp_ini folder moved successfully.
C:\Program Files (x86)\Zone Labs\ZoneAlarm\Diagnostics folder moved successfully.
C:\Program Files (x86)\Zone Labs\ZoneAlarm folder moved successfully.
C:\Program Files (x86)\Zone Labs folder moved successfully.
C:\windows\SysWow64\vsutil.dll moved successfully.
C:\windows\SysWow64\vsinit.dll moved successfully.
Folder move failed. C:\windows\Internet Logs scheduled to be moved on reboot.
C:\ProgramData\CheckPoint\ZoneAlarm folder moved successfully.
C:\ProgramData\CheckPoint folder moved successfully.

OTL by OldTimer - Version 3.2.31.0 log created on 10192011_143431

Files\Folders moved on Reboot...
File move failed. C:\Windows\SysNative\drivers\vsdatant.sys scheduled to be moved on reboot.
Folder move failed. C:\windows\Internet Logs scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Report •

#43
October 19, 2011 at 16:36:24
J_K,

Do run fixint2.bat, and post the results.

Also if you have the results for the first batch fixint.bat, post 30, include it also.

In the meantime, will check the OTL results and see what's up.

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#44
October 19, 2011 at 22:29:19
If I'm right, here's the log from fixint number 1:


Pinging JoshuaKubiak-PC [127.0.0.1] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pinging 192.168.1.82 with 32 bytes of data:


And here's what number 2 gave me:


Pinging JoshuaKubiak-PC [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging 192.168.1.82 with 32 bytes of data:
Reply from 192.168.1.82: bytes=32 time=1ms TTL=128
Reply from 192.168.1.82: bytes=32 time<1ms TTL=128
Reply from 192.168.1.82: bytes=32 time<1ms TTL=128
Reply from 192.168.1.82: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.82:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
c:\qoobox\Add-Remove Programs.txt
c:\qoobox\BackEnv
c:\qoobox\ComboFix-quarantined-files.txt
c:\qoobox\ComboFix2.txt
c:\qoobox\Quarantine
c:\qoobox\SnapShot@2011-10-13_22.36.31.dat
c:\qoobox\SnapShot@2011-10-14_04.41.54.dat
c:\qoobox\Quarantine\C
c:\qoobox\Quarantine\catchme.log
c:\qoobox\Quarantine\Registry_backups
c:\qoobox\Quarantine\C\Program Files (x86)
c:\qoobox\Quarantine\C\Users
c:\qoobox\Quarantine\C\Windows
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToOLbar32.dll.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\uninstall.dat.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\installer.xml.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\toolbar.xml.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\update.xml.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_images.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_maps.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_news.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_videos.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\engine_web.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_games.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_msn.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_travel.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\index.html.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\NotIE6.css.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\OnlyIE6.css.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\SearchProtectIcon.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\window.css.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\protect\window.js.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\index.html.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\LeftImage.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\NotIE6.css.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\OnlyIE6.css.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\window.css.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\reactivate\window.js.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\separator.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\splitter.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png.vir
c:\qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png.vir
c:\qoobox\Quarantine\C\Users\Joshua Kubiak
c:\qoobox\Quarantine\C\Users\Joshua Kubiak\wevtapi.dll.vir
c:\qoobox\Quarantine\C\Windows\assembly
c:\qoobox\Quarantine\C\Windows\security
c:\qoobox\Quarantine\C\Windows\System32
c:\qoobox\Quarantine\C\Windows\System64
c:\qoobox\Quarantine\C\Windows\assembly\tmp
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U\000000c0.@.vir
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U\000000cb.@.vir
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U\000000cf.@.vir
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U\80000000.@.vir
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U\800000c0.@.vir
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U\800000cb.@.vir
c:\qoobox\Quarantine\C\Windows\assembly\tmp\U\800000cf.@.vir
c:\qoobox\Quarantine\C\Windows\security\database
c:\qoobox\Quarantine\C\Windows\security\database\tmp.edb.vir
c:\qoobox\Quarantine\C\Windows\System32\consrv.dll.vir
c:\qoobox\Quarantine\C\Windows\System32\Thumbs.db.vir
c:\qoobox\Quarantine\Registry_backups\AddRemove-StartNow Toolbar.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-(Default).reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-00TCrdMain.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-HSON.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-SmartFaceVWatcher.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-SmoothView.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-Teco.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-TosNC.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-TosReelTimeMonitor.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-TosWaitSrv.reg.dat
c:\qoobox\Quarantine\Registry_backups\HKLM-Run-TPwrMain.reg.dat
c:\qoobox\Quarantine\Registry_backups\Service_Updater Service for StartNow Toolbar.reg.dat
c:\qoobox\Quarantine\Registry_backups\tcpip.reg
c:\qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
c:\qoobox\Quarantine\Registry_backups\WebBrowser-{B54561DB-0BBB-41B4-A814-DF8301FE0A8E}.reg.dat
c:\qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-StartNowToolbarHelper.reg.dat
c:\qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat


Report •

#45
October 20, 2011 at 06:03:06
J_K,

Did you reboot after OTL was done, so that the files it targeted got removed? I think you did, but, please confirm.


Now, here is another batch file for you to run:

Click Start > Run, type: notepad and press Enter.
Once Notepad is open, copy/paste ALL the text below into Notepad:


@echo off
echo.Please wait...
ping localhost >log.txt 2>&1
sc qc vsmon >>log.txt 2>&1
sc qc Vsdatant >>log.txt 2>&1
dir /a/b C:\Windows\SysNative\drivers\vsdatant.sys >>log.txt 2>&1
notepad log.txt


Click: File > Save As...
Save to the Desktop
'File Name', type: vschk.bat
'Save as type', select 'All files'

Once all of this has been done, click the 'Save' button and exit Notepad.

Now, to run the batch file in Windows 7, right-click 'vschk.bat' and select: Run as Administrator

Once the batch file has completed running it will close the window automatically.
Please post the log it produces in your reply.

Now, download SystemLook from one of the links below:
Link 1: http://jpshortstuff.247fixes.com/Sy...
Link 2: http://images.malwareremoval.com/jp...

Save the file to the Desktop
Double-click 'SystemLook.exe' to run it.
Copy ALL of the following into the open textfield:

:filefind
vsmon.exe
vsdatant.sys


Click the 'Look' button to start the scan.
When finished, a Notepad window opens with the results of the scan.
Please post the SystemLook.txt in your reply.

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#46
October 20, 2011 at 14:32:03
Yes, I did reboot after OTL had run; it popped up with a prompt informing me that it would have to do so to complete the process. Here's the vschk results:

Edit: I tried posting this twice. The first time, my internet went completely out, even on other machines. The second time, which managed to get through, the internet slowed to a near standstill. Either I have bad luck, or the site hates me.

Pinging JoshuaKubiak-PC [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time=1ms TTL=128
Reply from 127.0.0.1: bytes=32 time=1ms TTL=128
Reply from 127.0.0.1: bytes=32 time=1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: vsmon
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -service
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TrueVector Internet Monitor
DEPENDENCIES : Afd
: RpcSs
: CryptSvc
: vsdatant
SERVICE_START_NAME : LocalSystem
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Vsdatant
TYPE : 1 KERNEL_DRIVER
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\vsdatant.sys
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Zone Alarm Firewall Driver
DEPENDENCIES :
SERVICE_START_NAME :
The system cannot find the path specified.

And here are the SystemLook results:

SystemLook 30.07.11 by jpshortstuff
Log created at 07:05 on 20/10/2011 by Joshua Kubiak
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "vsmon.exe"
C:\_OTL\MovedFiles\10192011_143431\C_Program Files (x86)\Zone Labs\ZoneAlarm\repair\vsmon.exe --a---- 2435592 bytes [03:34 07/10/2011] [08:26 18/03/2011] EC84EBC7240B1E8F0556C0285FC02116
C:\_OTL\MovedFiles\10192011_143431\C_Windows\SysWOW64\ZoneLabs\vsmon.exe --a---- 2435592 bytes [03:34 07/10/2011] [08:26 18/03/2011] EC84EBC7240B1E8F0556C0285FC02116

Searching for "vsdatant.sys"
C:\Windows\System32\DriverStore\FileRepository\vsdatant.inf_amd64_neutral_f782e0172cdac971\vsdatant.sys --a---- 458840 bytes [03:32 07/10/2011] [23:30 15/05/2010] 48BFA6276BCC0535F5F8898107ED489A

-= EOF =-


Report •

#47
October 20, 2011 at 14:59:01
"WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results."

Hi J_Kubiak, aaflac44 will want you to show him the 64bit results, here is the link.

http://jpshortstuff.247fixes.com/Sy...


Report •

#48
October 20, 2011 at 17:57:14
Thanks for the heads up John. New results! (also, my internet troubles were unrelated; just a temporary issue):

SystemLook 30.07.11 by jpshortstuff
Log created at 17:53 on 20/10/2011 by Joshua Kubiak
Administrator - Elevation successful

========== filefind ==========

Searching for "vsmon.exe"
C:\_OTL\MovedFiles\10192011_143431\C_Program Files (x86)\Zone Labs\ZoneAlarm\repair\vsmon.exe --a---- 2435592 bytes [03:34 07/10/2011] [08:26 18/03/2011] EC84EBC7240B1E8F0556C0285FC02116
C:\_OTL\MovedFiles\10192011_143431\C_Windows\SysWOW64\ZoneLabs\vsmon.exe --a---- 2435592 bytes [03:34 07/10/2011] [08:26 18/03/2011] EC84EBC7240B1E8F0556C0285FC02116

Searching for "vsdatant.sys"
C:\Windows\System32\drivers\vsdatant.sys --a---- 458840 bytes [03:34 07/10/2011] [23:30 15/05/2010] 48BFA6276BCC0535F5F8898107ED489A
C:\Windows\System32\DriverStore\FileRepository\vsdatant.inf_amd64_neutral_f782e0172cdac971\vsdatant.sys --a---- 458840 bytes [03:32 07/10/2011] [23:30 15/05/2010] 48BFA6276BCC0535F5F8898107ED489A

-= EOF =-


Report •

#49
October 20, 2011 at 18:32:35
Well, J_K, my bad!
Gave you the 32-bit links instead of the 64-bit for SystemLook.
You can rate me as 'worst answer'!!! :-(

Thank Johnw for coming to the rescue! ;-)

The Internet connection came back after repairing the messed up winsock, but it was not fully functional. The second log of the batch (fixint2.bat) report shows that the loopback was restored. After disabling and enabling both the wired and wireless adapters, and then removing the ZoneAlarm services (probably left behind after an
incomplete uninstall), the applications got access to Internet.

So it took a combination of all the steps, and each step resolved a part of the issue.

Resolving networking/connection issues is not exactly 'my thing'.
Had to consult with an expert on this issue.

Just glad you got things working again!


Now, have to take a look at the status of the malware on your laptop.

Give me a day or two to start from Post #1, review what was done, and see if we need to do anything else.

In the meantime, make sure you have an AntiVirus program enabled!!
If you do not want to use Norton, will suggest Avast!, Microsoft Security Essentials, or Avira AntiVir. All three are free.

Personally, I use the avast! on my laptop and netbook, and MSE on the Desktop.
Just make sure there is no more than one AV installed.

Thanks for your patience.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#50
October 23, 2011 at 20:19:33
J-K,

This is where we left off, since there was trouble with the Internet connection:

See if you can now run the ESET Online Scanner

First, disable your AntiVirus and any AntiSpyware programs while performing the scan. It will preclude conflicts, and will speed up scan time.

If needed, refer to the information available here to temporarily disable these programs:
http://www.bleepingcomputer.com/for...


Since you are using Windows Seven to perform this scan, go to 'Start' button, look for the browser icon, right-click it and select: 'Run as administrator.

In the browser address bar, copy paste the following:
http://www.eset.com/us/online-scanner

Press the ESET Online Scanner button
In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
Allow the ActiveX to download, and click 'Install':
http://www.eset.com/us/online-scann...

Click: 'Start'
Make sure that the option' Remove found threats' is unticked/unchecked
Click 'Scan', and wait for the scan to finish

If any threats are found, click the 'List of found threats', then click 'Export to text file...'
Save the file to your Desktop as: 'ESET Scan'

Please provide the contents of the 'ESET Scan' in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#51
October 23, 2011 at 23:03:26
Alright, I'll run that tomorrow. 'Tis late right now. I'll edit this post after I run it.

Report •

#52
October 24, 2011 at 08:35:45
Where are you located? I am in Illinois, USA.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#53
October 24, 2011 at 23:10:47
Nevermind about editing that post. You might not see it at first. And I live in California by the way. But anyways, ESET came up clean. I am now 100% clean; thank you so much for all of your help. This looks to be the longest one you've done, and I'm glad you stuck with me. Hope that if we meet again, it's not under similar circumstances.

Report •

Ask Question