Need help getting rid of Tagging System Cashtitan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Taddio, Jul 21, 2010.

  1. Taddio

    Taddio Private E-2

    Hi,

    First off, I want to say that I HAVE read the READ ME FIRST sticky post and I've done what it said, at least all I could.
    Also, I know there's another thread on the subject of "Tagging System Cashtitan", but the READ ME FIRST post clearly says to not post in another one's thread.

    So here I am.
    I run on Windows XP, I've got a 3.0 ghz Pentium IV dual core with 2.0ghz of memory.
    When I'm browsing the internet, I sometimes get pop-up ads (mostly advertising cars or iPads) in the down right corner of my screen.
    In my config panel, there's a program called "Tagging System Cashtitan" that asks for a code to be uninstalled.
    I've run Malwarebyte, CCleaner and, yes, Spybot, and it still shows in my add/remove program list.
    I've read on someone else's post that OTM might do the trick to remove it, but when I try to click on the download link, I get this message:

    403 Forbidden
    Access to this resource on the server is denied!
    Powered By LiteSpeed Web Server
    LiteSpeed Technologies is not responsible for administration and contents of this web site!

    I don't have acces to another computer to download it.
    So, my question is this one: can someone help me to find a way to remove this unwanted program from this computer (I don't even know if it's a malware, but my guess is that it is, but I've found very little informations about it on the internet).

    Thanks,
    Taddio
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to run the only the tools we ask you to run in the READ & RUN ME and attach the requested logs. Spybot is not part of the READ & RUN, but in addition to Malwarebytes, we ask you to run SUPERAntiSpyware, ComboFix, RootRepeal, and MGtools. So finish trying all tools and attach the requested logs so that we can properly help you.
     
  3. Taddio

    Taddio Private E-2

    Chaslang,

    I did just what you told me, I attached my logs.
    Let me know if I can do something else.
    SuperAntiSpyware did find 3 threats (adware) during the scan, but Cashtitan still shows in my add/remove program list (just so you know).

    Thanks a lot for your time

    EDIT: Since I can't upload more than 4 files, I won't attach MalwareByte's log (wich I'm 99,99% positive is clean), but if you need it I will send it to you.
     

    Attached Files:

    Last edited: Jul 22, 2010
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The instructions explained that you just needed to use two messages to attach the 5 logs. ;) And the last two scans from it did find something as the size of the below logs indicate.
    Code:
    "C:\Documents and Settings\gerald\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
    mb9e32010-07-21   1046  "mbam-log-2010-07-21 (19-42-14).txt"
    mbam-2010-07-21   1106  "mbam-log-2010-07-21 (15-22-18).txt"

    Uninstall the below old versions of software:
    Java(TM) 6 Update 20

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. Taddio

    Taddio Private E-2

    Hi Chaslang,

    Again I've done all you told me to do.
    I attached my logs below.
    Tagging System Cashtitan doesn't show anymore in my add/remove program list, and I've browsed a couple web pages and I was not prompted to buy an iPad yet:-D
    On the other hand, I've recieved an error message when MGtools finished running, I've taken a screenshot and attached it, I thought maybe you would want to see it (zipped, because it was too big uncompressed).

    Anyhow, what I'm trying to say with all this is thank you, and if I ever got the chance I'll gladly pay you a beer!
    I really appreciate what you've done for me:)

    You take care and keep up the incredibly good work,

    sincerly yours,
    Simon

    EDIT: Well, just after I post this very message, the iPad thing still appeared, and I was redirected to some Hotel page in Austin.
    Maybe it was not Cashtitan that was causing this? Any thoughts?

    Still yours anyway (loll),
    Simon
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    This was explained in the READ & RUN ME in the Using MGtools instructions link. You never installed .NET Framework.

    What browser are you using when this occurs? And does it occur when on any particular website?

    Do you know exactly what the below are for?

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  7. Taddio

    Taddio Private E-2

    Hello again Chaslang,

    I mainly use Firefox as a browser and I always update to the latest version when it's available. There seems to be no particuliar website when the pop-up ads...heu...well...pops:-D
    It even popped right on this website once or twice.
    I've downloaded Safari today, but I havent browsed it much so far, but no unwanted iPad ads has appeared yet (kind of ironic when you think it's an apple product, heh...).

    I've downloaded/installed the .NET framework and did all you told me again.
    As for the "Do I know what this is?" about this

    I have absolutely no idea, but I'm more of the "hardware" kind of guy, altough I'm working on this. But from memory, this tells me absolutely nothing and doesn't seems related to anything I could have installed on my computer, wich are mainly audio softwares and a couple of games.

    I attached the requested logs, and in the meantime I'll check if my problem is solved, I'll keep you up on whatever happens (or hopefully doesn't happens:p)

    Thanks as always for your time, I appreciate it a lot,
    Simon
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Okay then let's remove those startup entries.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Also run this: Using ESET's Online Scanner and attach the log from ESET,

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • the log from ESET
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  9. Taddio

    Taddio Private E-2

    Looks like you did it Chaslang! :)

    I attached my logs. No pop-ups yet, neither in Firefox nor Safari, and maybe it's a psychological kind of thing, but I feel my computer runs better than ever right now.

    So thank you again for all your help, you really own the computer, you know:-D

    Simon
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds