Hi guys, I'd like to hear your opinion on this:
A friend of mine had the following story, and by phone,w e couldn't solve it...
Settings:
- 'Clean' winXP system
- Zonealarm installed
- computer is a laptop, connected wireless to a router, with 2 more computers on the network, all mac filtered, wpa encrypted, you name it

Situation:
- Zonealarm denied svchost32.exe access to 61.74.63.1 while trying to use internet explorer

Tried (in order of appearance :-))
- Let hem make a HJTlog, which was clean
- Taken a look at the windows hosts file, had 1 extra rule,, he didn't tell me what, but deleted it so it only said 127.0.0.1 localhost
- Reboot, no result
- Allow zonealarm to connect and see what happens
- Still, no result
- Uninstalled zonealar, reboot, no result
- LSPFix, indicated no errors/problems
- After some more searching and searching we started regedit
- All the adapters showed, at the dns setting in the register, 61.74.63.1. But, he can connect to his wireless home network, even tried reconfiguring the network settings on the laptop, still, no result
- Tried removing all those, probably malicious entries, reboot, no result,
- O.k. I hated this part, tried a system restore
- And once again, no result...

Extra info:
- All other computers don't have any problems
- The only 'spyware/adware' found were tracking cookies
- 61.74.63.1 belongs to a well known spammer, kornet.net

Hijackthislog attached, as well as the hidden runnres log (note, the hosts file now contains 1, legitimate entry)

thanks in advance guys. The problem is, I don't have access to his system, so everything has been done by phone and email, so maybe that's why I'm overlooking something,
Bram

O.k. a quick update, I forget to mention I sent him some instructions to:
- Flush the dns and reregister the computer (ipconfig /flushdns and ipconfig /registerdns). Try, and if that didn't work to:
- Restart the windows dhcp and dns client
Any suggestions are always welcome :-)

Hya BT.

LOL , you explained just about everything except the actuall problem. But from the things you tried out i figure he cant connect to the net.

And svchost32.exe immediatly rings warning bells.
Thats probebly one of these two:

http://securityresponse.symantec.com...mail.i@mm.html
http://securityresponse.symantec.com...mail.j@mm.html

And the removal tool for either of them:
http://securityresponse.symantec.com...oval.tool.html

What do you mean with "'Clean' winXP system" ? Is it a fresh install? And if yes , did he had a firewall installed before connecting to the net?

And it looks like the hosts file isn't clean:

Hoster should be able to fix that:

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original Hosts file.


And he could also get rid of this one , but we'll fix that with hjt.

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

These can be fixed with hjt:



Also he know only uses Network Associates AV and Zonealarm? There is still a service from Symantec security center running on his pc.

Hi m8, we did a full scan with an up to date mcafee virusscanner (in safe mode)
Tried sfc /scannow
Removed the error from the hosts file ourselves (only left 127.0.0.1 localhost)
The symantec thingy also startled me a little, since this is supposed to be a system reinstalled. Amnyway, thanks for the advice for now, I'll take a look at the symantec security center for now. The default homepage is just a little advertising from the laptop manufacturerer, and since he uses firefox ;-)
I'll be back :-)

Did Mcafee find and delete the Mimail worm? Also did you manage to get rid of the Symantec leftovers?

Hi Joe, haven't got a response from him in a few days now. I'll head over there next week and let you know :-)

Alright , keep me updated.