Laptop with a virus won't allow internet access

I've followed your instructions before for another computer I have and successfully got rid of the about:blank hijack; HOWEVER, the laptop I'm working on now that my boss brought me from home cannot connect to the internet. I am trying to run through all the steps in the DO NOT POST UNTIL YOU HAVE READ THIS... article, but I'm at the point where you want me to run on-line scans. Can I skip that part and just run the other tools in safe mode?

 

Do what you can and then post a HJT log from normal mode.

 

I've followed as many steps as I could with the downloaded tools from the DO NOT POST UNTIL YOU HAVE READ THIS... article. Again, I was not able to do on-line scans. Also, I could not run SpyBot because I could not check for updates/definitions via internet, so it would not run.

Attached is the HJT log file. Please instruct me as to EXACTLY what to do, as I'm no expert when it comes to working in the registry.

Thanks!

 

If you cant download this on the infected machine, download it from another machine and transfer it via floppy/cd to the infected machine.

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the connwsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move connwsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file connwsp.dll is already in the remove section, then just click FINISH.)


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/se arch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: (no name) - {0AC292B1-9419-4BA8-8897-17235F821244} - (no file)

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://tcnet.tv/tcinstall/setup.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After doing ALL of the above,
Reboot, Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I did everything up to the SpyBot, but as I mentioned before, I cannot get updates since the computer's not attached to the internet, and Spybot won't run without the updates. I get an error that says "You need to install the detection updates first by using the integrated update or the manual updater."

What next?

 

One more thing on this...in case this information helps you:

When the boss brought the laptop in, he said that the virus had made it so that he could not open Internet Explorer. Since I've had it here in the office, I was concerned about spreading the virus to the rest of the computers on the network, and I didn't want to join it to the domain and sign it on to the network (which, I believe, is the only way I know of to give this laptop internet access through our network T1 line).

Is there some other way to connect to the internet in this network environment without joining the computer to the domain and signing it in to our server, or do you feel that it's likely that the virus may be gone now and therefore it's okay to hook it up to the network now to get internet access?

Thanks!

 

I dont see a problem with it, you can re-connect to the internet and get all the updates you need. What virus was it?

Also, if you have completed the fix I posted, attach a fresh HJT log.

Did you run LSP-FIX and remove that file I requested?

 

Actually, throughout the different tools I ran, I never did see any evidence of a virus. I guess I need to get it hooked back up to the internet to see if it's still doing what my boss said it was doing.

I did run LSP-Fix and deleted the one file.

Attached is the new HJT log.

What do you suggest I do next?

 

Your log is clean, are you having any further problems?