2 Computers, 1 Internet connection - moved by Jintan

[Nds15]

Okay here's the problem:

I have to computers, one upstairs, one down. These computers both have a connection to my wireless N D-Link roughter. And they both still connect to the router (I can change the routers settings, etc.) But the problem is that the downstairs computer now only connects to the router and not the internet.

Here are a few details on what happened right before the problem:

The downstairs computer used to not be able to connect to download.microsoft.com. So I wanted to fix it. Googled the problem and a guy told me a Trojan was keeping him from connecting and provided a link to software named Trojan Remover that he used to fix the problem. I ran the software and it said it fixed a whole bunch of Trojans and some registry keys.

Ever since running the software the downstairs computer has not been able to connect to the internet, only the router. I am thinking it might have changed a registry key and had that effect.

Any ideas?

Thanks!



Update to problem:

I connected an Ethernet cable to the computer and got internet just fine. I ran a software called "Network magic" (By Cisco) and it said it found that I was connected to the internet when I tried to troubleshoot. And I believe I am. All other signs show I am except for the fact that not a single program will access it. It appears as if the only problem is that it won't access the internet through my wireless connection.

[Mr Bean]

Check your wireless key is right

[renegade600]

since you had it before you ran that trojan remover, then maybe you should do a system restore to a restore point just prior to running that remover - just to get your wireless internet service back.

Since there is a possible trojan, post in this boards malware forum and they will help you to get rid of it without wifi corruption.

[Nds15]

Thanks for the advice guys! This is one of the quicker help and support sites I've visited. I've already checked if my WEP key is right. I think it is. I don't really have a restore point to go to. I never made one. I don't think their is a way to system restore without having previously made a system restore point is their?

[Mr Bean]

Windows creates restore points too so have a look.

[Mr Bean]

You may like to try and post in the Malware section too. There's a possibility you may have a DNS changer somewhere in there.

[Nds15]

That sounds like more of something I would be expecting.

[Jintan]

And on that note, Nds15, I have gone ahead and moved your request here to the CTH Malware Removal Forum. Let's check and see what all is there now.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

[Nds15]

Thank you very much for your help Jintan!

I'll do all that is suggested as soon as I find time to download those files and transport them to my basement PC. I'll get back as soon as I have a moment with the downstairs PC.

[Jintan]

Post when ready and we will review then.

[Nds15]

Okay, these are the results returned from the test you suggested in the form of 3 logs. Each one goes over the character limit for posting on this site so I am going to upload 3 text documents of the logs (all named according to what they are.)

Here is the link to download: http://www.mediafire.com/?sharekey=68c6c2034a75198f6b21be4093fab7acb4301c29 0ac101e1f1940a51b339e393

[Jintan]

Sorry - missed that you had replied here.

I won't be able to work from uploaded logs. You will need to break any larger log files into parts, then post those here. Use extra posts if needed. Also you can check other request threads in this forum to get an idea how it is done.

[Nds15]

Will do when I find time. Thanks!

[Jintan]

Post back when ready and we will review after. Late where I am, so it might be tomorrow, as time permits.

[Nds15]

Sorry it took a few weeks, but this issue just became urgent.

Gmer Log (Important parts, rest of log is over 2 million characters only mentioning the programs Nero, Open Office, Quicktime and Netbeans):

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-02 23:39:39
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ethan\LOCALS~1\Temp\kxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT spha.sys ZwCreateKey [0xF84160E0]
SSDT spha.sys ZwEnumerateKey [0xF8434CA2]
SSDT spha.sys ZwEnumerateValueKey [0xF8435030]
SSDT spha.sys ZwOpenKey [0xF84160C0]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xB97D0B4C]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB97D0C3A]
SSDT spha.sys ZwQueryKey [0xF8435108]
SSDT spha.sys ZwQueryValueKey [0xF8434F88]
SSDT spha.sys ZwSetValueKey [0xF843519A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xB97D0AB0]

INT 0x62 ? 8236FBF8
INT 0x63 ? 81E5ABF8
INT 0x73 ? 82372BF8
INT 0x82 ? 8236FBF8
INT 0x83 ? 81E5ABF8
INT 0xB4 ? 81E5ABF8

---- Kernel code sections - GMER 1.0.15 ----

? spha.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F79D38AC 5 Bytes JMP 81E5A1D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 823722D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8447C4C] spha.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8447CA0] spha.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8417040] spha.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F841713C] spha.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84170BE] spha.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84177FC] spha.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84176D2] spha.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 81E5A2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8427048] spha.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8236D1F8
Device 81BCC500
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

Device \Driver\usbohci \Device\USBPDO-0 81F0B1F8
Device \Driver\usbohci \Device\USBPDO-1 81F0B1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 823DD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 823DD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 823DD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 823DD1F8
Device \Driver\usbehci \Device\USBPDO-2 81E4E500

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 823701F8
Device \Driver\Cdrom \Device\CdRom0 81E431F8
Device \Driver\Cdrom \Device\CdRom1 81E431F8
Device \Driver\Cdrom \Device\CdRom2 81E431F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 81D43500
Device \Driver\WudfRd \Device\UMDFCtrlDev-13a4b1d2-af7a-11de-9e56-00b08c01158f B2B26156
Device \Driver\NetBT \Device\NetbiosSmb 81D43500
Device \Driver\USBSTOR \Device\00000087 FE5EB1F8
Device \Driver\USBSTOR \Device\00000088 FE5EB1F8

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

Device \Driver\USBSTOR \Device\00000089 FE5EB1F8

AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

Device \Driver\usbohci \Device\USBFDO-0 81F0B1F8
Device \Driver\usbohci \Device\USBFDO-1 81F0B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81D86500
Device \Driver\usbehci \Device\USBFDO-2 81E4E500
Device 81D86500
Device \Driver\Ftdisk \Device\FtControl 823701F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C1DA4BA5-CF91-4217-84B9-A10B0EA49C46} 81D43500
Device \Driver\si3112r \Device\Scsi\si3112r1Port2Path0Target0Lun0 823DC1F8
Device \Driver\si3112r \Device\Scsi\si3112r1 823DC1F8
Device \FileSystem\Fastfat \Fat 81BCC500

AttachedDevice \FileSystem\Fastfat \Fat 8236E1F8
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Par ameters\Keys\000b0d066246
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Se curity\MSSQL$SQLEXPRESS$AUDIT@EventSourceFlags 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Se curity\MSSQL$SQLEXPRESS$AUDIT@EventMessageFile c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\Resources\103 3\sqlevn70.rll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@p0 G:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Paramet ers\Keys\000b0d066246 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Securi ty\MSSQL$SQLEXPRESS$AUDIT@EventSourceFlags 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Securi ty\MSSQL$SQLEXPRESS$AUDIT@EventMessageFile c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\Resources\103 3\sqlevn70.rll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@p0 G:\Program Files\DAEMON Tools Lite\
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{6EA2C965-6425-71AC-15E7-11725D01080F}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{6EA2C965-6425-71AC-15E7-11725D01080F}@iaeofaonjimadnialp 0x63 0x61 0x6E 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{6EA2C965-6425-71AC-15E7-11725D01080F}@haipiajnlnllhfbg 0x67 0x61 0x62 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{F7623BF9-99A6-C378-4FE2-6503539C9803}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{F7623BF9-99A6-C378-4FE2-6503539C9803}@gapjidlhfbhfdf 0x63 0x61 0x70 0x66 ...

---- Files - GMER 1.0.15 ----

(Nero, Quicktime, Netbeans and Open Office Files.)


---- EOF - GMER 1.0.15 ----