Various sites including Microsoft, TrendMicro and other type of sites that might be helpful seem unavailable while most normal sites are easily accessible.

Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:45 PM, on 8/11/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\bpanel\bin\bpanel.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Data Deposit Box\startup.exe
C:\Program Files\Data Deposit Box\backup.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4073299095-3253029702-3558299054-1012\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SiteBuilder')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Data Deposit Box.lnk = ?
O15 - ESC Trusted Zone: http://mmxbass.home.hexnet.com
O15 - ESC Trusted Zone: http://www.hexnet.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{510695A1-366A-4012-B323-1A43D0F822BB}: NameServer = 204.2.247.254,204.2.247.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{510695A1-366A-4012-B323-1A43D0F822BB}: NameServer = 204.2.247.254,204.2.247.250
O23 - Service: Bocacom bPanel Services (bPanel) -   - c:\program files\bpanel\bin\bpanel.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\nts.exe
O23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exe
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\SiteBuilder\v2\docroot\sitebuilder.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 3390 bytes

My hosts file is normal and I have already run Spybot with no results.

Can you run a ping/tracert to these sites from a command prompt?

If ICMP is being blocked, do you at least get a DNS response?

Yeah I should have mentioned this. Nslookup finds stuff fine but when I actually try to use the domain from ping or IE or anything it's like it's never heard of the domain.

C:\Documents and Settings\Administrator>ping www.microsoft.com
Ping request could not find host www.microsoft.com. Please check the name and tr
y again.

C:\Documents and Settings\Administrator>nslookup www.microsoft.com
Server:  ns1.1vault.net
Address:  204.2.247.254

Non-authoritative answer:
Name:    lb1.www.ms.akadns.net
Addresses:  207.46.19.254, 207.46.19.190
Aliases:  www.microsoft.com, toggle.www.ms.akadns.net
          g.www.ms.akadns.net

Anything? Anything at all?
Buller?

Have you tried to disable your firewall temporarily, then navigate to microsoft?

Windows firewall was disabled to begin with. Other firewalls not even installed.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

Post new HJT log.

It will be a day before I can restart the machine as required. Except in cases of extreme emergencies, the machine can only be restarted very late at night and only on weekends, as it serves several high-traffic corporate websites.

I will get back with results Saturday night or Sunday.

No worries :).

Looks like nothing came up it seems...

I have the feeling that it's old spyware that was removed but now the damage has been done (and not repaired).

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.2.3790 Service Pack 2

8/30/2009 2:37:28 PM
mbam-log-2009-08-30 (14-37-28).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 404522
Time elapsed: 1 hour(s), 44 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:47 PM, on 8/30/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\bpanel\bin\bpanel.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Data Deposit Box\startup.exe
C:\Program Files\Data Deposit Box\backup.exe
C:\WINDOWS\system32\dllhost.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4073299095-3253029702-3558299054-1012\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SiteBuilder')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Data Deposit Box.lnk = ?
O15 - ESC Trusted Zone: http://blogengine.codeplex.com
O15 - ESC Trusted Zone: http://i1.codeplex.com
O15 - ESC Trusted Zone: http://www.codeplex.com
O15 - ESC Trusted Zone: http://mmxbass.home.hexnet.com
O15 - ESC Trusted Zone: http://www.hexnet.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{510695A1-366A-4012-B323-1A43D0F822BB}: NameServer = 204.2.247.254,204.2.247.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{510695A1-366A-4012-B323-1A43D0F822BB}: NameServer = 204.2.247.254,204.2.247.250
O23 - Service: Bocacom bPanel Services (bPanel) -   - c:\program files\bpanel\bin\bpanel.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\nts.exe
O23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exe
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\SiteBuilder\v2\docroot\sitebuilder.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 4090 bytes

You never updated MBA-M as instructed. It still may find nothing, but it needs to be up-to-date.

Download Dial-a-Fix and run it. Select the 'Check all' (green arrow) and then hit 'GO.'
Reboot when done and see how things are now.

You never updated MBA-M as instructed. It still may find nothing, but it needs to be up-to-date.

Download Dial-a-Fix and run it. Select the 'Check all' (green arrow) and then hit 'GO.'
Reboot when done and see how things are now.

Actually I did do the update. It just failed. As for Dial-a-Fix, I ran it and I'll attempt a reboot tonight but it isn't looking promising.

You should mention things like that when you post :).
Get the update from here; http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Annnddd.... it ended up still finding nothing.

Dial-a-fix didn't seem to help either?

My main worry here is how nslookup can find microsoft.com easily but other apps like ping can't do the dns lookup. That strikes me as very messed up somehow.

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

[*]Physically disconnect from the internet.

Unfortunately, this will not be possible. The machine is located in a data center in Ft. Lauderdale Florida (There is nobody to physically disconnect the machine.)

I need to make three points before I run this program:
1: I can access the machine using Remote Desktop and I can power cycle it remotely if unresponsive. That is all the control I have.
2: The machine has 32 IP addresses manually configured. I need to be absolutely 100% sure that this application will not do something like set the machine to use DHCP.
3: It seems like this program will be prompting me for answers while in an offline state? If that is the case, this app is already out of the question as there is no way to click the prompts while offline.

Thoughts?

Seems like you cannot run it at all as it will disconnect you from the net.
Suggest doing the following instead;
Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

=========

Download Delete Domains from here and run it. It will delete all entries from the trusted and restricted zone.

==

If they do not work, I have no further suggestions :(.

Seems like you cannot run it at all as it will disconnect you from the net.
Suggest doing the following instead;
Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

=========

Download Delete Domains from here and run it. It will delete all entries from the trusted and restricted zone.

==

If they do not work, I have no further suggestions :(.

I had already tried both of these approaches manually before having posted on Daniweb. Sorry.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.