Searchportal.info and more.

1-After following all the steps in the sticky, DO NOT POST UNTIL YOU HAVE READ THIS the very next day I had 273 Trojans in my Windows\system32 folder. I ran Trend Micro housecall again and deleted them. I had to manually delete one of them. Will they be back?

2-Anyhow, right after that my Firewall (Norton) warned me that ipyt32.exe was trying to access the internet so I tried to zap it manually with no success. Norton AV found it and said it was ad-ware but couldn't kill it either. Scanning with Adaware didn't pick it up. Scanning repetitively (with no time lapse between scans) with Ad-Aware I do pick up and delete the same TIB browser and Dialer over and over again. Is this common?

3-Now, when I open IExplorer I get searchportal.info as my home page. When I try to get a blank home page via tools-options-use blank page Search portal hangs in there. What gives?

4- Ad-Watch monitoring picks up and informs me of Registry Modifications that occur every couple of minutes. Is this normal?

5- I followed all the suggestions in the sticky, HOW TO PROTECT YOURSELF FROM MALWARE!

6-I downloaded and ran Hijackthis but will wait before attaching the log file.

Thank you very, very much for this forum. I am determined to clean all scum from my computer but need help.

 

Depends on if your protected as in antivirus, firewall, and windows updates.

We will have to remove this manually. Follow the below information.

Sounds like a browser hijack, follow below!

No, its Malware modifying your registry.


Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here is a fresh log file.

 

I had my log file analyzed on the Hijackthis website and am not too sure what to do with all the Nasty and the Possibly Nasty entries. Does should be fixed mean deleted?

 

That site is not 100% accurate so be careful if you go by its detections.

You have several problems in this log, procede with the following.

Download this file: SpSeHjfix109

Unzip it to your desktop or to a folder.

Boot into Safe Mode

Start SpSeHjfix, click on " Desinfecton starten" (the other button means close) then it will reboot and finish the cleaning.

Run SpSeHjfix one more time.

Reboot in Normal mode.

Run HijackThis again and post a new log. Also post the log from SpSeHjfix, the log should be on your desktop or the same folder as SpSeHjfix.

 

I had to go away unexpectedly. So, now I'm back and I re-did all the steps in the sticky. I made sure I got all the necessary up-dates first. I did not follow the steps outlined in your previous post. However, I made a new Hijack this log file and will upload it as soon as requested.
Thanks.

 

Start by following my previous post. Also, do NOT reboot. With this hijacker rebooting causes it to mutate as a different name which means everything I post is useless so you must not reboot.

After you run the SpSeHjfix109 attach this log with a fresh HJT log.

 

OK. I did exactly as instructed. Here are the logs.

 

Fisrt, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot and post a fresh HJT log.

 

Here's the new log file obtained after running ABIRemover.exe.

 

You MUST close every browser and any running programs before you start this fix!


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rlytx.dll/sp.html#18463
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10040/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rlytx.dll/sp.html#18463

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {395BAAF6-D77D-4B2B-4198-3585FF78A2F1} - C:\WINDOWS\system32\crmr.dll

O4 - HKLM\..\Run: [ddhelper] "C:\WINDOWS\W815DM.EXE"
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {11111111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {11111111-1111-1111-1114-511155593469} - file://c:\x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {A9F2611F-C7CE-49D7-AEE9-17E9028711C1} (SafeGuard Class) -http://www.meetstream.com/activex/login4/login.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkmy.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\inetm ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\CVSEXPSS.exe

C:\WINDOWS\System32\SXPESVC.exe

C:\WINDOWS\System32\fnaejaa.exe

C:\WINDOWS\System32\d3pm32.exe

C:\WINDOWS\System32\rlytx.dll

C:\WINDOWS\System32\crmr.dll

C:\WINDOWS\System32\pd7.exe

C:\WINDOWS\W815DM.exe

C:\ied_s7.cab

C:\x.cab

C:\wx.cab

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above, Scan with HijackThis and attach the new log.

 

I hope I did everything correctly. Here's the new Hijackthis log file.

 

Download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot and post a fresh HJT log.

 

Here's the latest log file. I noticed it's a lot shorter than previous ones. However, yesterday my son was using internet between a couple of yours and mine postings. Would that negate our previous efforts? I noticed Ad-Watch told me my registry was being altered as my computer finished booting up this morning.

 

Yes it would, its allowing things to mutate and more to infect. Its best to remove everything before returning to normal computing so things will not mutate or new infections will occur.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10040/

O4 - HKLM\..\Run: [ddhelper] "C:\WINDOWS\W815DM.EXE"
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\W815DM.EXE

C:\WINDOWS\inetm\services.exe

C:\WINDOWS\System32\fgoooiy.exe

C:\WINDOWS\System32\pd7.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.


After you have completed ALL of the above, reboot and post a fresh HJT log.

 

OK. I did all of the above. TrojanHunter found 7 trojans including one in my HijackThis folder! See below:

Found trojan file: C:\Program Files\HJT\backups\backup-20050526-190832-390.dll (Agent.197)

Also, upon reboot ad-watch detected 5 registry alterations.

 

Please follow this fix exactly as it appears, do not skip anything!

Download Pocket KillBox
(Don't run it yet)


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10040/

O4 - HKLM\..\Run: [ddhelper] "C:\WINDOWS\W815DM.EXE"
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\W815DM.EXE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\rbtedxs.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\pd7.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\inetm\services.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your machine, again boot into Safe Mode. Now run the ABI Remover once more in Safe Mode. Afterwards reboot into normal mode and attach a fresh HJT log.

 

Using Pocket Killbox and widows explorer I could only find the W815dm.exe file. I noticed after running HJT at the very end of the steps you outlined for me that the same processes I fixed earlier with HJT were right back again. After reboot (using Pocket killbox) that W815dm.exe was back also.

Also, the System Startup Service was already stopped when I found it. It needed to be disabled and I did that.

One other thing, when I run ABI remover by doubleclicking the .exe. file it installs but then is impossible to find (tried searching for a wide variety of likely file names. ) So I assumed by installing it it was removing the spyware but perhaps this is a problem. ???

As I write this thnall.exe and aurareco.exe keep trying to access the internet but my firewall pops up and I block them.

I don't know if this helps but in windows\ frefetch there are aurora.exe files whose names are followed by a series of numbers and a .pf.

 

After following the steps outlined above my computer has ceased functioning. I am posting this from a different PC. The first thing to go wrong today was that none of my programs would print. They all lsaid there was no printer installed so I checked the control panel and sure enough there were no printers. I tried re-installing but the computer refused. When I tried re-booting the screen alternated between the initial black screen and the windows splash screen over and over again. I was able to boot into safe mode but can not connect to any web sites including Major geeks.com.

Needless to say my family is pretty angry with me now that our main PC is not working any more. (they have been following all our efforts at cleaning the spyware).

Any ideas as to how to fix things things up???

 

Download and run the following utility. After you download this run it and click on the button "Clean Prefetch Folder Now".

Windows XP Prefetch Clean And Control 1.2.0


After you do this reboot and attach a fresh HJT log.

 

Done!
BTW, In safe mode I now can access internet. (Was working prior to the prefetch cleansing).

 

Download the attached file, save to your Desktop. After download is complete reboot into Safe Mode. Extract the contents to your desktop and run the fixnail.bat Your desktop will disappear, let it go as this is normal. After tool is complete reboot into normal mode and attach a new HJT log with 2 new logs from both tools.

Download Nail FIX

 

Extracting to the Desktop got me a .cmd and a .exe file. I double clicked both of them and don't seem to have gotten a log file. As I mentioned a few posts ago I can no longer boot into normal mode. Here's a HJT file from safe mode.

 

Why cant you boot into normal mode? What happens? Any errors?

 

See posts 17-19 in this thread.
When I try to boot normally the booting process gets as far as the windows splash screen, then the booting process starts all over again. This cycle repeats indefinitely until I hit F8 and boot into safe mode. Would it be possible to fix this before cleaning up the rest of the spyware? Thank you for all your time and effort, I really appreciate it.

One last detail. When I boot (into safe mode) I get an error message at the very end of the process telling me that windows\nail.exe is missing. I assume this is a good thing but can I get rid of the message now?

 

Go into Safe Mode, click START run and type msconfig

Uncheck ALL of the startup items and reboot. See if you can now boot into normal mode.

 

I noticed there is a startup tab as well as a general tab that has a selective startup radio button heading. I tried unselecting everything from each one (one at a time) then rebooting. Same problem. I can only boot into safe mode. Should I be getting worried?

 

Do you have your orginal XP CD?

 

Yes.

 

Okay! What we are going to do is a Repair of your current install. Nothing will be lost and nothing will be changed except for the OS will be repaired.

Boot from the CD-ROM and go thru the setup. Do NOT press "R" at the first part as this will take you to the recovery console.

Procede past this point until you get to where the partitions are listed. You will have options, ESC for dont repair or "R" for Repair. Choose the R for repair and procede with the install..

Afterwards see if you can boot into Normal Mode.

 

I chose R for repair and got a black dos type menu. I chose:
1. C:\windows
and was prompted for the admin password so I hit enter and got C:\windows on a seperate line. I typed help and got a list of dos commands. I don't know what to do now.

 

You did what I said not to do. Boot from the CD again, except this time do not press R the first time you see it. Get to the part where you see something like the image below. Press R at this screen not the first one!

 

Ok, I'm in normal mode now. Here's a fresh Hijack this log file.

 

Did the Repair Install go well?

 

I assume it went well because I'm in normal mode now. It took an hour and I had to enter my 25 character product key but I guess it went well. I mean, hell, what do I know?

 

Lets cleanup those bad registry entries now that you have a clean, repaired OS.

Download RegSupreme Pro 1.1 and install it.

After installation is complete run the program, you may get a box that will prompt you to defrag your registry, you can click OK and wait a few seconds for this to finish. Afterwards select the "Registry Cleaner" tab and run the Aggressive scan. After scan is complete select ALL detected items and click FIX. Type a backup name just in case and then procede. Afterwards reboot and post a fresh HJT log and we will go from there.

 

The reg cleaner found hundreds of items that needed fixing . Most were deleted.

 

First, disable Ad-Watch and it will block parts of this fix. Also, you need to pick ONE antivirus and uninstall the other as running 2 antivirus programs will cause conflicts on your computer.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10040/

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKLM\..\Run: [ddhelper] "C:\WINDOWS\W815DM.EXE"
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\pd7.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\W815DM.EXE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\inetm\services.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your system. After you have rebooted attach a fresh HJT log.

 

Do you mean that I am running two antivirus programs? I know that sounds kind of dumb but with all the dowloading and installing new protection on my PC maybe I am running two now.

 

Yes, your running AVG and Norton. Pick one and uninstall the other.

 

After running the Pocket Killbox (what a great name!) and rebooting I took a peak and noticed W815DM.Exe was still there. Of the 3 files you told me to get with the Killbox it was the only one visible.

 

You must disable Ad Watch as previously requested. Its most likely the cause this stuff keeps coming back.

After you disable Ad Watch post a new HJT log.

 

I can't get rid of ad-watch. Right-clicking the ad-watch icon in the system tray brings up a menu. I chose "unload ad-watch" and the icon disappeared. But then it showed up as a running process when I ran HJT (or when I did a mouse-over on running processes in Ad-Aware). Should I un-install Ad-Aware completely?

I never would have thought that anti-spyware would prevent cleaning spy-ware off of a computer.

 

Yes, if possible temporarily uninstall Ad-Aware so Ad Watch wont affect anything. Afterwards post a fresh HJT log.

 

I finally got rid of ad-watch. After uninstalling, deleting the parent folder and rebooting it was still in the HJT file as a running process! So I included it in the fix and then did all the clean-up steps. One file (I think) remains. W815DM.exe! I googled it and all I got were various spyware removal forums discussing how tough it was to get rid of but not what it really was. What the heck is it anyway????

 

Its fairly new, havnt had time to to research on it yet. Lets start by trying the below fix for it.


First download: - ProcessExplorer for Win NT/2K/XP

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of W815DM.EXE once and then click the kill button. After you have killed all of the W815DM.EXE's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of W815DM.EXE then click the kill button. Once you have done that click ok again.

Run HijackThis and select the following line but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ddhelper] "C:\WINDOWS\W815DM.EXE"

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following line in bold into the "Full Path of File To Delete" box:

C:\WINDOWS\W815DM.EXE

Then click the red button with the X and allow Killbox to reboot then post a new HijackThis log.

 

W815DM.EXE did not show anywhere in Process Exporer. After fixing with HJT it was gone. I ran the Pocket Killbox as instructed but the file was back after reboot!

 

Since I'm not 100% sure on this file, can you zip the file and upload it as an attachment so I can do some testing and research on it?

Afterwards I will let you know if its legit or not.

 

Here it is in a .RAR file. I hope.

Edit: I zipped it but for some reason it won't upload.
2nd edit. OK, I got it as a .ZIP

 

If my aging memory serves me correctly, W815DM.EXE is related to C:\Program Files\Akrontech\enuff. If you uninstall enuff, you should be able to remove the entry for W815DM.EXE - if you still feel the need to do so . . . .

PP