Lost Internet Browsing Capability

Am in the 5th day of an odyssey, stuck in a relatively remote corner of West africa and am pulling out my hair.
My daughters Sony PCG-FXA53 with XP SP1 starting some unusual events that have culimintaed with a complete loss of internet access even though the machine is on the network.
The MSN messenger started to log itself on and send out messages to the buddy list.
Symptoms were a loss of all control capability - Ctrl=Alt-Del did nothing, Regedit did nothing, msconfig did nothing, mmc did nothing.
Machine had McAfee antivirus installed but it obviously did not pick it up - dat files about 1 month old.
At this time internet still worked.
Managed to get a new version of McAfee installed - run - it found a trojan virus but like an idiot I deleted the file without writing down the name.
I went to Windows update site to get latest fixes as symptoms persisted. Unfortunately Windows pushed SP2 to me, maybe where my real problems start.
During review I found several strange things - adware were deleted and kept re-appearing. In particular I noticed a fake "Norman antivirus" appearing the registry RUN section that would keep getting written back every time I changed screens.
I used lavasoft and spybot at this time and cleaned a few things out including Wild Tangent.
I found that the virus had written all sorts of commands into multiple desktop.ini files all over the computer.
After a lot of deleting I have managed to clean boot, get rid of all virus and adware but now seem to be damaged.
The machine will connect to the internet.
I can actually transfer files across the WAN to my w2000 machine but it is totally blocked from web browsing - "connection refused" with IE and Mozilla.

I notice that for some reason in and out of the web browser the machine prompts me to confirm I need to run scripts (even when opening a help file)
During the infected perioid I saw "My computer" sitting in the Internet security settings box, next to Internet/Intranet, Trusted - it is not longer there.

I have run all the recommended Spyware retrieval, and cleaners as per FAQ here.
Everything seems to work fine but it will not give me a web page. HS Cleaner found 8 items after everything else was finished.
Short of killing and losing all my software (the software was preloaded at factory and I do not have recovery disks) is there anything that can be done to get the thing going?
Everything seems to work except internet access is blocked.
TCP/IP is working, but I can only ping the local router.

I have run Hijack and all remaining items seem to be from normal applications.

Any suggestions beyond complete rebuild??

 

Try to do as many steps as possible below, if nothing else just get us a HJT using version 1.99.1 and we will go from there.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT. All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!

To Repeat: Please be sure to reply in this thread if you need further assistance or have any questions. Someone WILL be along to help you as soon as they can. You can help us help you by following the above instructions and providing detailed information as to the difficulties you are having and/or continuing to have after you have completed the Basic Spyware, Trojan And Virus Removal tutorial. Just telling us you followed the tutorial does not give us enough information. You need to let us know the results...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

We all recognize that if you are here asking for help you are probably frustrated and maybe even angry that your computer has been taken over by some malicious program. Rest assured, we want to help you but that we get frustrated too when we are not given the requested information or when instructions are not followed. Don't be afraid to ask for additional help if you don't understand something! There is no such thing as a dumb question and we do not expect everyone who comes here to have vast computer knowledge, however you will be more educated and better prepared to prevent re-infestation when you leave here!

Good luck!

 

Re: Lost Internet Browsing Capability - HiJack attached

Here is Hijack this log I just ran on the system.
Note I have already "uninstalled" SP2 but it made no difference.
The version is lates 1.99
It was run from d:\Hijack folder
Machine has a c: and d: drive
Run in normal bootup mode of XP - (not safe mode)

Any ideas where to go??

 

First:

Do you know what FreeRAM XP Pro 1.40 is and do you use it?

Second:

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.windowsupdate.com

Again, make sure All Browser Windows are Closed when you Click FIX.

Third:

I dont see any bad problems in this log. Have you checked drivers, connections, etc;

 

The "freeram" is an application that I found in last 24 hrs on a site that had a lot of spyware cleaners. I don't think it is involved. I can remove.
Also the line items you highlighted were all added after my cleanup attempts were started.
The HSCleaner is one of your recommended cleaning tools.
I put the items in "trusted" sites to see if security changes would help my system to connect.

It seems I have damaged somehow my TCP/IP connectivity - not sure how and the security will no longer let me in.
I have compared all setting by seeting with another XP machine but with no success.

I Ran HiJack and cleaned a bunch of things 4 days ago - if you are interested I have attached the old post from Feb 23rd here.
What you see now is after my own butchery.
Thanks for the feedback.
If you have any ideas on whatelse to do.. drop a note.
TV

 

There were several bad things in that log. Did you just remove them from HJT or did you remove them from HJT and delete all the files/folders?

 

Yes, that was there old log, they was showing it to me to let me see what all they had/removed. It was quite nasty!

 

Tony Vovers,

When you fixed the things you did with HJT, did you remove the files as well or just fix them with HJT ?

 

Not 100% sure what you mean by "files and folders".
Initially I deleted from HJT.
However some of the line itmes would not "disappear" they kept coming back.
"Norman antivirus" was one of them I remember.
It took a lot of strilling to get that one to go away.
Seems somehow it was being reloaded from modified versions of desktop.ini files.

Then I went a bit wild in Add/Remove programs and deleted anything I felt was not not necessary or could be recovered easily later.
I also ran a few different registry cleaners.

Is there something I missed in the tutorial about the cleaning routine that I could stiil try?
My personal opinion is that I have some registry changes that are affecting security and blocking my web browsing. I just cannot fnd them.

It is not normal to be prompted about scripts when trying to connect to www.google.com

 

When you fix a entry with HJT for example:

O4 - HKLM\..\Run: [Norman Antivirus] NORMANANTIVIRUS.EXE

This line, after you fix this with HJT you would then need to reboot and delete the file in safe mode.

Did you do this for everything you fixed in HJT that had files ??

 

Sorry = but yes I went to safe mode to make the fixes.
However they did not get fixed even in there.
Even in-safe mode this thing was being re-written to the registry.
I found by some Google searching a hint that showed me this was due to some executable files being run from "desktop.ini" files even in safe mode.
After some review I found several hundred of these were modified by whatever bug was eating my life.
I deleted all of these desktop.ini files that looked like they had something beyond an Icon action - deleting about 150 versions of desktop.ini and eventually managed to boot in safe mode and have HJT delete the records without them being re-written.

 

Post me a current HJT log from the infected machine with no internet access. Also, is SpyBot and Ad-Aware on the infected machine?

 

Just to confirm these nasties are gone, make sure these dont exist.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\QuickSearch <-- Delete whole folder if it exist!

C:\Program Files\Logitech <-- Delete whole folder if it exist!

C:\WINDOWS\System32\NORMANANTIVIRUS.EXE
Note: Search for this file to be sure you get every one if it still exist