Still need help - think I've followed directions

I got infected. Multiple problems. Have had the about:blank thing for a long time but all of a sudden went to a site that started downloading stuff and I couldn't stop it. Now I've got the black screen with Warning! You're in danger... Some how my wireless network drivers were lost and I couldn't get to the web, had all these annoying pop-ups, the dog icon some turkey thing... Am running Windows XP - Tried to follow the directions as posted here including safe mode with networking (reloaded network drivers) - installed and ran all of the spyware software in order and lots of files were manipulated (Over 450 with the first Ad Aware scan). Each time I scan, it seems a few more things are identified. I did hijack this but may have messed up not closing everything down on the taskbar and loading it to the desktop. Ran an auto scan on another site and deleted the ones that were "Nasty". Had some others denoted as Nasty but it said don't fix them, try to get rid of them with LSPfix from cexx.org which I ran but it didn't seem to matter. I ran Hijack this again and deleted a bunch of stuff at the end (Unknown entries) but things didn't change and they were all there again on the next post reboot scan. So, where do I go from here? Thanks. Steve (Stylcouncl@aol.com)

 

Also, when searching through the Windows/System32/dll cache... I noticed agentsvr.exe with an icon that looks suspicious. Is this part of the problem. I went in there thinking I should delete the dll files that hijack this analysis labeled as nasty but didn't thinking I might cause more harm than good.

 

Bump ^^ for help... please

 

Hi Steve,

Sounds like you have a mess on your hands!

Please go ahead and send us a HijackThis Log and let's see where you stand. That should tell us how you should proceed. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll try to check back when I get a chance, but I'm tied up with work right now. Hang in there!

Best,
PP

 

OK, well the infection goes deep. The dreaded black screen only appears when logged in as "owner" and not on one of the kids' log in names. There remains an evil dog icon with something about cashback that comes back even after you exit. I think I expunged him. In my computer, I noted several exe files that are dated infestation day and seem suspicious "purity", "sysman" and "soft", I deleted them but I'm sure they'll return. I've tried to attach my hijack this log using manage attachments tool but I get an error message with server not found, then I copied and pasted it into the reply but again got an error message when I tried to post it so now I'll try using the quick reply.

 

Hi Steve,

A couple of things before we get started:
Is that your entire HJT Log?
How many different User Accounts are on your machine? We should probably look at them all.

For this HJT Log:
You have a few items that we need to deal with. However, before we do that, please download this tool: http://www.cexx.org/lspfix.zip

Now, run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Please do the same for aklsp.dll

Then, click the Finish Button. When the Repair Summary box appears, click OK.

Now, Reboot and then scan with HijackThis and attach that log and we’ll attack the other problems. Chaslang or I will take a look when we get a chance.


Best
PP

 

Sorry about the long delay. I hope I haven't lost the opportunity for further assistance. I did run the LSP fix but neglected to delete the dll files you specified. I didn't have your response with me at the time so I'll go do that tonight. I was hoping that with that in mind, the new hijack this logs would still be relevant. As you suggested I ran a separate log for each user on the machine. O is owner, is the administrative login and seems to be the worst one. That is the one with the black overlay warning screen on the desktop, the others don't have that. Thanks. Steve stylcouncl@aol.com

 

OK, I redownloaded and updated all of the scanner/cleaner files as described in the sticky thread. I really had done them all the first time although my hijack this logs may not have reflected that. This time through, it seemed more things were identified and deleted. The most obvious remaining issue is that the owner/administrator logon background screen continues to have a black overlay screen that says Warning... you may be infected.... I reran the hijack this logs for the 3 different users with the latest hijack this app and will attach them below as native log files. Thanks again guys. For some reason, 2 of the logs won't upload so I'll try to generate them again and send them in the next post. Steve

 

Second log, I hope

 

Third log (seemed it wouldn't upload because the .log file extension had dropped off and once I renamed it with the .log it opened and uploaded fine. Hope this is useful. Steve

 

Fast response, OK< I'll replace the hijack this and rerun.

 

I assume I am to use add remove programs to uninstall the spy blocs program?

 

It didn't have an uninstall but I did fix the run line in hijack this as directed. I didn't see the processes running. I fixed the designated hijack this lines except for the paired ones ending in bfv.exe. Each time I rerun hijack this, similar lines are there but the three letters before exe are different as you can see from this most recent log. The only obvious sign of ongoing infection is the black overlay screen on the owner account "Warning... You're in danger"... I'll work on the Jamie account next.

 

I'm sorry. I did jump back to the other account. I'll repeat the process as you described for the main account, re-post and wait. I assume you want me to delete the files even if the file name has changed. I have confirmed that restore is off, and that hidden files are set appropriately. Along those lines, I have not unchecked the box about operating system files below the designated one.

 

This is the newest hijack this log BEFORE I've gone back in to fix things or back into safe mode.

 

I see that you're logged in viewing the thread and so I'm waiting to see your response. Steve

 

Shit. Well, its obviously getting very late for you. I'll uncheck that box, then should I rerun some or all of the other programs or just uncheck that box and rerun a hijack this log?

 

OK, I have a wireless connection and I can just unplug the D Link. What should I do next? Uncheck the hidden box, rerun hijack this and post the log or take some action based on that last log?

 

OK, thats what I'll do. They have already changed however since I last scanned. I'll give it a try.

 

No, I'm not terribly familiar with it although I've tinkered in the past with someone directing it. Here's where I'm at. I searched by date modified/created and found about 80 of those ABC.exe files throughout windows all from the day and time the problems started. I also found multiple dll files including additional copies of the two you had me delete independently. I also found a few other suspicious executable files from that day and deleted them. I also found and deleted the image file for the black warning screen, since that time, instead of the black screen, there is a white screen that overlays the windows background and thats the only remaining issue functionally. If I enlarge the windows toolbar at the bottom and then drag it back to the regular size, you can see the appropriate background screen "underneath" and then the white screen refills the "uncovered" area. Right now I'm rerunning the steps in the main pre-screening thread with all files revealed in safe mode and I'll look at the link you included above. I'm also searching the web on another computer because I've seen links about that black "Warning - You're in danger..." screen because I think that is the biggest problem. I also curiously found a file in Windows/Temp several numbers.tmp listed as "unknown application" as a read only created the date this stuff all happened. I couldn't delete it in safe mode but I could delete the whole temp folder in a normal boot so I did that. I think I'm close. Steve

 

OK, so following instructions in a similar thread in a similar forum, I was able to at least temporarily fix the screen problem by going into desktop settings, web tab and unchecking the box (someone explained in another help session that "an active desktop was set as the wallpaper". The respondent mentioned that for him the fix was only temporary and the black screen returned after a few hours. I've since rerun spybot, adaware and the cleaner program, searched for all. tmp files and removed them and have not yet allowed that PC to have web access. I've rerun hijack this logs for all three users and will post them here in case you have any other suggestions before I allow this PC to have net access again. So far so good. Thanks again. I think the logs will come in two (or three) posts. (Having trouble uploading the logs)

 

3rd log