Internet Access Blocked

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Bill75080, Dec 10, 2004.

  1. Bill75080

    Bill75080 Private E-2

    PC used by a teenager had major spyware problems. Using Adaware, I found 1075 occurances and removed them. Using Spybot, I found another 27 and removed them. I have installed and configured Spyware Blaster.

    PC still slow and cannot access network (peer to peer) or Internet.

    Here is HJT log:

    Edit by chaslang: Inline log changed to attachment

    I would appreciate advice.

    Thanks,

    Bill
     
    Last edited by a moderator: Dec 10, 2004
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HijackThis is the last step and we have rules about how and when to post a log.

    Please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    If still having a problem after the above, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.

    I changed you previous inline log to an attachment!
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After following the steps from my previous post do the following if you notice you still have problems and the items list here are still in your HJT log.

    Look in Add/Remove programs for anything to do with WildTangent and also Toolbar. If found, uninstall them.
    Download and run about:Buster (see the READ ME FIRST tutorial).
    Make sure you have system restore disabled and viewing of hidden files enabled (per the READ ME FIRST tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below processes, and if found to be running, End them:
    MediaPIayer.exe
    prvtect.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [Windows Media Player] MediaPIayer.exe <---- Added by the SDBOT-QO TROJAN!
    O4 - HKLM\..\RunServices: [Windows Media Player] MediaPIayer.exe
    O4 - HKCU\..\Run: [prvtect] C:\WINDOWS\System32\prvtect.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...ron/install.cab
    O20 - AppInit_DLLs: mad.dll

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Toolbar <--- the whole directory
    C:\Windows\system32MediaPIayer.exe
    C:\WINDOWS\System32\prvtect.exe
    C:\WINDOWS\System32\mad.dll

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Note: About C:\WINDOWS\System32\prvtect.exe
    "Prutect" malware - attempts to shut down or tamper with a number of anti spyware applications, like Ad-Aware and SpyBot S&D. - It has been seen using alternative file names like prdtect.exe, prmtect.exe and so forth!

    Question:
    Do you recognize the below IP addresses to be from your ISP? Is you ISP: Charter Communications?
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FAA7AFD0-04C5-4338-8E8D-C0E3020B5390}: NameServer = 68.113.206.10,66.169.221.10
     
  4. Bill75080

    Bill75080 Private E-2

    Thanks and sorry for the faux paux.
    Yes, Charter Comm is the ISP
    Did as you instructed and everything was removed except MAD.DLL
    Tried to go into Safe Mode and delete it but is always says it is being used by another process.
    Check Registry and only found one mention of this file:
    HKLM | Software | Microsoft | Windows NT | Current Version | Windows | AppInit.dll has a value of mad.dll.

    Tried Killbox to remove this file. That program failed with this message:
    "PendingFileRenameOperations Registry Data hass been Removed by External Process."

    Hmmm

    Any other suggestions?

    Bill
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First locate the mad.dll file again with Win Explorer and right click on it and select Properties. Than select the Version tab. Go thru the list of Item name info. I want to see who this belongs to.

    There is a method for removing AppInit_DLLs but first I want to be sure about who put it there.

    Is you Internet access still blocked? Please download the new version of HijackThis 1.99 and post me a new log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds