Something Disabled Windows Firewall and Hijacked my Internet

October 16, 2012 at 21:41:51
Specs: Windows XP Pro SP3
A few days ago, my computer was infected with something. It couldn't do anything but go to some scam screen asking for money, but had a backup computer and a usb drive to get it running again.

I installed a new anti-virus (AVG) and I think it got the virus, but now every time I connect to the internet something connects and uses up all my connection. And a few minutes later AVG pops up a report that a virus was found in my c:\recycler folder. I have it take care of that, but internet connection is still in use even when nothing should be on it.

I tried to access Windows Firewall and have it block whatever was accessing the internet ut get an error saying "Due to an unidentified problem, Windows cannon display Windows Firewall settings".

I just want to know if there's a way to find out what's accessing my internet, if it's dangerous, and how to finish cleaning out my computer.

See More: Something Disabled Windows Firewall and Hijacked my Internet

Report •

October 16, 2012 at 22:35:14
"I think it got the virus"
I doubt it, give us the log please.

" if it's dangerous"

"how to finish cleaning out my computer"
Big job, will know more after looking at the log.

Report •

October 16, 2012 at 23:16:35
How do I get a log?

Report •

October 16, 2012 at 23:24:26
"How do I get a log?"
In your AVG file.

Report •

Related Solutions

October 16, 2012 at 23:44:31
Okay, I found a log folder under Documents & Settings/All Uers/Application Data/AVG2013
It's full of .cfg files.

Is that what you need to see? And where can I upload it for you.

Report •

October 17, 2012 at 00:29:06
AVG 2013 now appears it has its own way of examining logs, you can either use their forum & tools or, run ESET, then copy & paste the contents of the log here.

Run ESET & post the log please. This scan may take a while, so please be patient.
Configure ESET this way & disable your AV.
How to Temporarily Disable your Anti-virus
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.

Report •

October 17, 2012 at 05:47:54
The easiest thing to do is a quick scan with malwarebytes and fix all it finds:
These other 2 free programs also work great in picking up things others miss:
1- trojan remover
2- hitman pro]
run them both till they run clean

If you have an unwanted rootkit installed try using these 3 progs in the EXACT order listed before rebooting.
a- rkill.exe
b- tdss killer
c- Malwarebytes

The above are the tools I start off with and can generally clean a PC in a minimal mount of time. Good Luck....and let us know if your problem is rectified....thanks

Some HELP in posting on plus free progs and instructions 7 Golds

Report •

October 17, 2012 at 21:42:51
Okay, that took longer than I thought it would, but I'm back.

So I downloaded all that stuff. I ran Malwarebytes, and it found 7 threats. Then I ran rkill, tdss, and Malwarebytes again. Which found 1 more threat. Then I ran Trojan Remover, which found 2 threats. And one of those 10 things must have been what was connecting to the internet without my permission.

After I had internet again, I ran the ESET Online Scanner. Which found 5 threats. And was able to updated Malwarebytes and Trojan Remover, Malwarebytes found 1 threat.

So my internet is mine again, and system has been scrubbed. But I still can't access Windows Firewall. Will I need to reinstall it or something?

Also, here is the log from ESAT Online Scanner, if you still think that will help:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=a1ef34790a020345bb6edf8f6010b9ce
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-10-18 12:57:19
# local_time=2012-10-17 07:57:19 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 93286 93286 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=42811
# found=5
# cleaned=5
# scan_time=2313
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\i9ghpaqt.default\user.js JS/SecurityDisabler.A.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\User\Local Settings\Temp\000a4332.exe a variant of Win32/Kryptik.ANCY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\User\Local Settings\Temp\0065db22.exe a variant of Win32/Injector.XSL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\User\Local Settings\Temp\jar_cache2335153792839909951.tmp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\RECYCLER\S-1-5-21-1757981266-776561741-1547161642-1003\Dc4.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C

Report •

October 17, 2012 at 23:04:31
Download and run SuperAntiSpyware free from this link:
This will fix it if the virus has blocked you from the firewall.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?

Report •

October 18, 2012 at 01:53:41
I tried SuperAntiSpyware. It found a few cookies and 1 problem, but didn't fix the firewall.

Report •

October 18, 2012 at 03:37:21
"Also, here is the log from ESAT Online Scanner"

As I was the only one asking for a log, it would have been a lot more helpful if you ran ESET first, so I could see what was doing on.
Have you ever tried to find a house or street without a number or street name, it's the same for finding the cause of the infection, we need info.

I will be very surprised if your comp is clean.

Run - Windows Repair & check > Repair Windows Firewall

Report •

October 18, 2012 at 05:33:42
ClayAllison , Spybot S&D should be able to take care of the firewall problem:

Some HELP in posting on plus free progs and instructions 7 Golds

Report •

October 18, 2012 at 11:10:20
the below will do a system restore

Here's How:
Boot to Windows XP Safe Mode With Command Prompt.

At the Command Prompt, type C:\windows\system32\restore\rstrui.exe and press Enter.

Follow the instructions given to perform the System Restore process.

Report •

October 18, 2012 at 17:32:49
Sorry about not running the ESAT scanner first. I tried, but my connection was so ate up that it wasn't getting through. The tool was able to fix the Firewall though. So that's great!

My system is all working again, and though I'm sure I'll be worried that it didn't get all cleaned out I'll be sure to take better care to not let this happen again in the future. Thanks for all your help everyone!

Report •

October 19, 2012 at 01:27:53
"though I'm sure I'll be worried that it didn't get all cleaned out"

Lets dig deeper.

A guide and tutorial on using ComboFix
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
When finished, clear away any of the files and folders that were created by ComboFix.
Start > Run, Copy and Paste > ComboFix /uninstall and click OK.
Qoobox is a folder created by Combofix to quarantine any infected files.

Report •

Ask Question