Internet connection problem

Girlfriend went out to some movie star website and now can't connect to the internet. She ran Ad Aware and had 140+ problems, then the coumpter showed a box that said system is shutting down in 60 seconds. We deleted Ad Aware thinking something got attached to it and tried to get on the internet again. No go. She goes into internet options and the home page says "blank". She changes the address to Google to access the net, she gets some page saying she can't access the net. She rechecks the home page address and it says "blank" again. We Tried MS internet wizard, tried re starting her computer in " last known configuration that worked" and still no luck. Any ideas or what to look for? By the way, her computer is exactly like mine listed below.

IMSA

 

Ok, what you have here is a spyware problem. Hopefully one of the MOD's will move this thread there. Here's a link that should help you fix what need's to be fixed.

http://forums.majorgeeks.com/showthread.php?t=35407


Try to go through each and every step that applies to you(basicly all of them). As you go through them keep us posted on what happens, and let us know if you run into any problems. But, please at least attempt each step. This will give our people here a better chance to work on exactly what you need to do to fix this.

 

Thank you Tigerray00, I'll give it a shot

IMSA

 

Been trying to work through the instructions . We get to Remote Procedure Call Helper and disable as directed. We disable the RPC yet it will not stay disabled. Any ideas?

IMSA

 

When you click apply does it remain disabled as long as you don't reboot?

 

Correct. When we reboot it's on again.

IMSA

 

When you turned it off, did you have to reboot?

Try not to reboot when going through the steps until you absolutely have to.
Chaslang or one of our other experts will come and help you through all of this as soon as they get the chance to.

 

I tried to stop and disable the "Remote Procedure Call (RPC) Helper" selecting appropriate functions on the General tab. I then noticed that under the Logon tab there is also a way to disable the hardware profile which I did also. Since performing all this disabling I haven't needed to reboot the system (it hasn't automatically closed down on me) so in theory, I should be able to proceed forward.
I should mention that I'm following steps1-4 (Getting Prepared: Steps to be sure your system is ready to be scanned). In step #1 the directions weren't exactly XP-specific, but I think I got through the steps as they were described. The only part of step #1 that I may have missed was that I wasn't able to "scan for the problem" as I didn't exactly know what I should be looking for.
I'm now on step #4 (Dowloading Tools), however I can't download anything as I don't have internet access ("about:blank" issue). Any ideas?

 

If you have access to another computer, (preferably one with a cd burner) you can download the files you need there. Then you can either burn them(if a burner is available) to a cd, or you can e-mail them to yourself(assuming you can still check your mail).

 

Tigerray00 - Yes, thanks, we'll try the e-mail idea first as that appears to still be working.

------------------------------------------------------------------------

Chaslang - Yes, we saw "Remote Procedure Call (RPC) Helper" NOT "Remote Procedure Call (RPC)" and have disabled it.

The OS is fully up to date with all Windows updates. __________________

 

Hello wonderful Computer Experts,
This is IMSA's girlfriend replying with an update. I've completed the steps listed on the "Getting Prepard & Scanning Cleaning Steps" document. In most cases I ran the software listed multiple times, especially if it kept indicating errors. There appear to have been hundreds of problems, even though the machine was Ad Aware clean a week previously. One of the major issues appears to be the "about:blank" issue that many other people are experiencing. I first noticed this when using the SpyWare Blaster tool. In examining the IE browser page entries I noticed multiple "about:blank" entires which I manually changed to "www.google." That was when I immediately got back internet access. As previous entires indicated there was also the problem with the Remote Procedure Call (RPC) Helper. This helper no longer appears as one of the msc services. Presumably one of the tools removed it.
A current issue involves running Ad Aware SE with the plug-in. After I ran this multiple times attempting to remove problems I eventually (with much rebooting and reloading of Ad Aware software) was able to get down to "O" problems. Unfortunately, when running it the next day there were at least 40 "new" critical problems. When trying to remove these errors using Ad Aware SE the system seizes up, forcing a reboot. One of these errors reads "Win32.TrojanDownloader.Agent.al." Is there a reason why this particular agent can't be removed (along with the other 39 issues?) Can trojan's send out intelligence to the mother ship after they are removed and subsequently send out more agents to infect your machine? Also, I'm concerned with so many problems currently being "blocked" is there a way to remove them permanently? Thanks so much for your help. Perhaps you may have some ideas concerning how to remove the TrojanDownloader agent which may be the reason the machine keeps getting reinfected (?). We've performed many hours of blasting, cleaning, shredding, killing, stinging, and removing. Hopefuly you have a few more ideas to resolve this issue...Thank you again for all your patience and help...

 

Re: Internet connection prob./Trojan & Critical Errors

Thanks Chaslang:

I've included the info from the HJT Log and also from a TrojanHunter log. The machine still locks up when running Ad-Aware SE after it discovers 40 some critical errors. Hope you see something we can address-

Edit by chaslang: Inline HJT and Trojan Hunter logs changed to attachment

 

Thanks Chaslang,

I'm sorry about the incorrect HJT logs and appreciate your patience.
I'll try and go through the directions again and see how far I get.
This is my first HJ problem, so I'm rediculously new to all of this....~The girlfriend

 

Okey. Dokey. I started in again from the top and have tried to attach the latest HJT file as requested. I've also included some information derived from some of the scanning/cleaning tools in case that helps with troubleshooting.

The only step I haven't attempted yet is to try and delete some of the files that Trojan Hunter considered possible problems. I've attached them for your review so that you can select any items that seem appropriate. I'm afraid I would select something that would screw things up further, so I'll await your reply concerning this piece of the project. (They indicate that these may or may not be issues.)

A positive event is that all of the tools are now working properly and that it appears that some fairly suspicious items such as a file "c:\ntdetect.hta Download.Trojan" (which Symantec detected) have been deleted. I was also able to run additional software that wasn't possible the first time around and presumably have deleted additional critical items.
I'm still curious about messages such as the one SpyBot produces which indicates that "749 bad products are blocked, 1583 additional protections are possible. Please immunize." I "immunized", but does this software continuously block these items? It seems like that would create at least a minor bit of overhead. It would be nice to get rid of them completely.

I may have uploaded the files incorrectly or made other mistakes so just let me know what needs to be done. I appreciate your help and expertise. Thank you in advance. ~Girlfriend in Training......

 

Oh, I forgot to mention that I wasn't sure about the very last instructions that I was given regarding the move.reg file. At the end of the instructions the message indicated to "Boot into safe mode and use Windows Explorer to delete:" but there wasn't anything after the colon. I may have screwed up because I continued on with the instructions and rebooted back into normal mode and posted a new HJT log (as the next instruction indicates.) If there was something I was supposed to delete in Windows Explorer, I'll need some further instruction. Sorry if this was a problem. ~Girlfriend in Training

 

Thanks for the reply. Before I begin again, I guess I'll need help with a couple of things.

First, concerning the HJT zip file, I did create a new folder for it and installed the zipped file there but it looks like it ran it from the previous place it was installed. Hopefully I can delete it from the previous folder so that this won't happen again. What I need help with is how do I not run it from the zip file? Do I need to unzip it somehow, and if so, how do I get it in the directory? I may not be making any sense, but I know how to move the zipped file to a new folder/directory but not how to move an unzipped file to a directory. Or maybe I've misunderstood and I just need to put the zipped file into an appropriate folder/directory and that will suffice.

Also, I didn't have any IE sessions running (and it wasn't visible in the lower toolbar.) Also, a notebook task wasn't visible either and I don't remember opening one. Do I need to go into Administrative Tools/Component services (or somewhere else) to actually stop IE (assuming it is there as a service to stop)? I'll definitely double check this though to see what I could be doing wrong before I run HJT again.

I did delete the files (015, 015, & 023), but I'll try it again. Obviously I did something wrong or something didn't take.

Also, I'll try and delete those files identifed by Trojan Hunter. I just wasn't sure they all should be deleted. I'll use the list you gave me.

I may not have totally understood your directions, so any clarification will help. Thanks again...I'll keep trying....

 

Located all the files found by Trojan Hunter and deleted them. Reran TrojanHunter with new results "No Trojans Found." (Didn't reboot.) ~Girlfriend in Training

 

Oops. I forgot to post the HJT log for you (which is saved) before presing CTRL-ALT-DEL and ending IE. When I did this I lost all icons on my desktop. Yes, the process is stopped, but the screen is totally black. How do I get my desktop back so I can use my computer? Will I need to reboot?

Although I didn't send you the log, the processes that you had told me to delete weren't present this time. Also, I figured out how to extract the file into the same folder (and I also deleted the program from the temp folder) so I think it was run correctly.

Have I really screwed things up by ending IE? I guess I didn't know what that would do. I was hoping to end IE and run HJT again for you. I'm using a different computer to send you this message, because I didn't want to reboot. I'll wait until I hear from you before doing anything else to my computer. Hopefully I haven't ruined everything. ~Girlfriend in remedial training.....

 

About whether or not I deleted iexplore or explorer.exe last night, of course I thought I had deleted iexplore.exe, but I wouldn't bet my life on it. I've been
working such long hours anything is possible.

I rebooted and everything appears to be back in a normal state. I'm attaching the HJT log as you've requested. We'll see where we are after you get a chance to look at it. (I haven't done anything else on the computer yet.)

Thanks for your long hours of help, ~Girlfriend in Training

 

Followed instructions running Spybot and disabling TeaTimer. Also unchecked "IE Tweaks" as requested. Followed additional instructions selecting the R1, R0, R3, and O2 entries and fixing them.

The only anomaly encountered was that I did not find the "nyfbd.dll" file either in the C:\WINDOWS\system32 directory or anywhere else on the computer (and I should be able to see the hidden files).

I rebooted in normal mode and when you said "post a new HJT log" I assumed you meant to run HJT again. I have the results of both HJT runs and am attaching the second results to this reply. (Hope that is what you wanted.)

The IE Options General Tab address now reads correctly for the first time.

Hopefully things are looking better from your educated point of view.....~Girlfriend in Training....

 

Thanks so much for all your help. I really appreciate it. Hopefully everything will work as it should now! ~Girlfriend in Training