[RESOLVED] Internet Connection is Dialing Itself

**Broni** · July 3rd, 2011, 04:47 PM

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\winlogon.exe
- C:\WINDOWS\system32\svchost.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

**davidgsmith** · July 3rd, 2011, 06:08 PM

winlogon.exe

Antivirus results
AhnLab-V3 - 2011.07.04.00 - 2011.07.03 - -
AntiVir - 7.11.10.200 - 2011.07.03 - -
Antiy-AVL - 2.0.3.7 - 2011.07.03 - -
Avast - 4.8.1351.0 - 2011.07.03 - -
Avast5 - 5.0.677.0 - 2011.07.03 - -
AVG - 10.0.0.1190 - 2011.07.03 - -
BitDefender - 7.2 - 2011.07.03 - -
CAT-QuickHeal - 11.00 - 2011.07.03 - -
ClamAV - 0.97.0.0 - 2011.07.03 - -
Commtouch - 5.3.2.6 - 2011.07.03 - -
Comodo - 9265 - 2011.07.03 - -
DrWeb - 5.0.2.03300 - 2011.07.03 - -
eSafe - 7.0.17.0 - 2011.07.03 - -
eTrust-Vet - 36.1.8421 - 2011.07.01 - -
F-Prot - 4.6.2.117 - 2011.07.03 - -
F-Secure - 9.0.16440.0 - 2011.07.03 - -
Fortinet - 4.2.257.0 - 2011.07.02 - -
GData - 22 - 2011.07.03 - -
Ikarus - T3.1.1.104.0 - 2011.07.03 - -
Jiangmin - 13.0.900 - 2011.07.03 - -
K7AntiVirus - 9.107.4863 - 2011.07.01 - -
Kaspersky - 9.0.0.837 - 2011.07.03 - -
McAfee - 5.400.0.1158 - 2011.07.03 - -
McAfee-GW-Edition - 2010.1D - 2011.07.03 - -
Microsoft - 1.7000 - 2011.07.03 - -
NOD32 - 6262 - 2011.07.03 - -
Norman - 6.07.10 - 2011.07.03 - -
nProtect - 2011-07-03.01 - 2011.07.03 - -
Panda - 10.0.3.5 - 2011.07.03 - -
PCTools - 8.0.0.5 - 2011.07.01 - -
Prevx - 3.0 - 2011.07.04 - -
Rising - 23.64.04.03 - 2011.07.01 - -
Sophos - 4.67.0 - 2011.07.03 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.07.03 - -
Symantec - 20111.1.0.186 - 2011.07.03 - -
TheHacker - 6.7.0.1.247 - 2011.07.03 - -
TrendMicro - 9.200.0.1012 - 2011.07.03 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.07.03 - -
VBA32 - 3.12.16.4 - 2011.07.01 - -
VIPRE - 9762 - 2011.07.03 - -
ViRobot - 2011.7.2.4546 - 2011.07.03 - -
VirusBuster - 14.0.107.2 - 2011.07.03 - -
File info:
MD5: ed0ef0a136dec83df69f04118870003e
SHA1: f77a7cd78877527023ebfb35e83b75ef59d3df07
SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e
File size: 507904 bytes
Scan date: 2011-07-03 21:51:20 (UTC)

**davidgsmith** · July 3rd, 2011, 06:20 PM

svchost.exe

Antivirus results
AhnLab-V3 - 2011.07.04.00 - 2011.07.03 - -
AntiVir - 7.11.10.200 - 2011.07.03 - -
Antiy-AVL - 2.0.3.7 - 2011.07.03 - -
Avast - 4.8.1351.0 - 2011.07.03 - -
Avast5 - 5.0.677.0 - 2011.07.03 - -
AVG - 10.0.0.1190 - 2011.07.03 - -
BitDefender - 7.2 - 2011.07.03 - -
CAT-QuickHeal - 11.00 - 2011.07.03 - -
ClamAV - 0.97.0.0 - 2011.07.03 - -
Commtouch - 5.3.2.6 - 2011.07.03 - -
Comodo - 9265 - 2011.07.03 - -
DrWeb - 5.0.2.03300 - 2011.07.03 - -
eSafe - 7.0.17.0 - 2011.07.03 - -
eTrust-Vet - 36.1.8421 - 2011.07.01 - -
F-Prot - 4.6.2.117 - 2011.07.03 - -
F-Secure - 9.0.16440.0 - 2011.07.03 - -
Fortinet - 4.2.257.0 - 2011.07.02 - -
GData - 22 - 2011.07.03 - -
Ikarus - T3.1.1.104.0 - 2011.07.03 - -
Jiangmin - 13.0.900 - 2011.07.03 - -
K7AntiVirus - 9.107.4863 - 2011.07.01 - -
Kaspersky - 9.0.0.837 - 2011.07.03 - -
McAfee - 5.400.0.1158 - 2011.07.03 - -
McAfee-GW-Edition - 2010.1D - 2011.07.03 - -
Microsoft - 1.7000 - 2011.07.03 - -
NOD32 - 6262 - 2011.07.03 - -
Norman - 6.07.10 - 2011.07.03 - -
nProtect - 2011-07-03.01 - 2011.07.03 - -
Panda - 10.0.3.5 - 2011.07.03 - -
PCTools - 8.0.0.5 - 2011.07.01 - -
Prevx - 3.0 - 2011.07.04 - -
Rising - 23.64.04.03 - 2011.07.01 - -
Sophos - 4.67.0 - 2011.07.03 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.07.03 - -
Symantec - 20111.1.0.186 - 2011.07.03 - -
TheHacker - 6.7.0.1.247 - 2011.07.03 - -
TrendMicro - 9.200.0.1012 - 2011.07.03 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.07.04 - -
VBA32 - 3.12.16.4 - 2011.07.01 - -
VIPRE - 9763 - 2011.07.04 - -
ViRobot - 2011.7.2.4546 - 2011.07.03 - -
VirusBuster - 14.0.107.2 - 2011.07.03 - -
File info:
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1: 49083ae3725a0488e0a8fbbe1335c745f70c4667
SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
File size: 14336 bytes
Scan date: 2011-07-03 22:15:24 (UTC)

**Broni** · July 3rd, 2011, 06:29 PM

Create new Windows profile with admin rights as described here: http://support.microsoft.com/kb/811151 and see, if you'll be getting same errors there.

**davidgsmith** · July 3rd, 2011, 08:59 PM

Well no error msgs because t5ql.dll has copied itself back into the C:\windows\system32 folder....

It's been a long day Broni,
I appreciate all your help.
More and more I think it's in the mbr.

Dave

**Broni** · July 3rd, 2011, 09:20 PM

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:

On completion of the scan click "Save log", save it to your desktop and post in your next reply:

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

**davidgsmith** · July 3rd, 2011, 10:43 PM

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-03 21:37:13
-----------------------------
21:37:13.109 OS Version: Windows 5.1.2600 Service Pack 3
21:37:13.109 Number of processors: 1 586 0x304
21:37:13.109 ComputerName: COMPUTER1 UserName: Dave
21:37:13.718 Initialize success
21:44:25.078 AVAST engine defs: 11070301
21:55:37.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:55:37.078 Disk 0 Vendor: WDC_WD800EB-00DJF0 77.07W77 Size: 76319MB BusType: 3
21:55:39.078 Disk 0 MBR read successfully
21:55:39.078 Disk 0 MBR scan
21:55:39.078 Disk 0 Windows XP default MBR code
21:55:41.078 Disk 0 scanning sectors +156280320
21:55:41.093 Disk 0 scanning C:\WINDOWS\system32\drivers
21:56:01.875 Service scanning
21:56:02.734 Disk 0 trace - called modules:
21:56:02.734 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:56:02.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863a0ab8]
21:56:02.734 3 CLASSPNP.SYS[f74d7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x863cdd98]
21:56:03.234 AVAST engine scan C:\WINDOWS
22:34:02.281 File: C:\WINDOWS\system32\t5ql.dll **INFECTED** Win32:Malware-gen
22:36:30.750 AVAST engine scan C:\Documents and Settings\Dave
22:40:42.468 AVAST engine scan C:\Documents and Settings\All Users
22:42:05.375 Scan finished successfully
22:42:18.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dave\Desktop\MBR.dat"
22:42:18.750 The log file has been saved successfully to "C:\Documents and Settings\Dave\Desktop\aswMBR.txt"

**Broni** · July 3rd, 2011, 10:52 PM

MBR seems to be fine, but let's reset it.

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

exit

Reboot computer.

Post fresh aswMBR log.

**davidgsmith** · July 3rd, 2011, 11:04 PM

Tomorrow
Later

**Broni** · July 3rd, 2011, 11:17 PM

OK...

**davidgsmith** · July 4th, 2011, 07:53 AM

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-04 06:11:49
-----------------------------
06:11:49.765 OS Version: Windows 5.1.2600 Service Pack 3
06:11:49.765 Number of processors: 1 586 0x304
06:11:49.765 ComputerName: COMPUTER1 UserName: Dave
06:11:51.218 Initialize success
06:12:03.937 AVAST engine defs: 11070301
06:12:07.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
06:12:07.125 Disk 0 Vendor: WDC_WD800EB-00DJF0 77.07W77 Size: 76319MB BusType: 3
06:12:09.125 Disk 0 MBR read successfully
06:12:09.125 Disk 0 MBR scan
06:12:09.125 Disk 0 Windows XP default MBR code
06:12:11.125 Disk 0 scanning sectors +156280320
06:12:11.140 Disk 0 scanning C:\WINDOWS\system32\drivers
06:12:31.781 Service scanning
06:12:32.812 Disk 0 trace - called modules:
06:12:32.828 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
06:12:32.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86388ab8]
06:12:32.828 3 CLASSPNP.SYS[f74d7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86369b00]
06:12:33.265 AVAST engine scan C:\WINDOWS
06:51:49.828 File: C:\WINDOWS\system32\t5ql.dll **INFECTED** Win32:Malware-gen
06:54:11.125 AVAST engine scan C:\Documents and Settings\Dave
06:59:44.359 AVAST engine scan C:\Documents and Settings\All Users
07:01:02.734 Scan finished successfully
07:50:24.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dave\Desktop\MBR.dat"
07:50:24.796 The log file has been saved successfully to "C:\Documents and Settings\Dave\Desktop\aswMBR.txt"

note: when I ran fixmbr I got a warning that my mbr had some inconsistencies in it. I forget the exact verbage.

**davidgsmith** · July 4th, 2011, 09:18 AM

Broni,
I am beginning to back-up all my data, and make sure I have all necessary drivers I will need to reinstall.

You have tried very hard to get to the bottom of this problem, but it seems we're not getting anywhere. If you do not see a definitive and effective route to get rid of these trojans, then I suggest we throw in the towel and I will reload. It's almost to the point where in the time spent so far on this I'd almost be done reloading.

I admire your dedication to my and other peoples problems.

Thank you,
Dave

**Broni** · July 4th, 2011, 12:16 PM

OK, give me fresh GMER log.

Thread: [RESOLVED] Internet Connection is Dialing Itself

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Posting Permissions