fast-search.org nightmare

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rb1knobe, Feb 9, 2005.

  1. rb1knobe

    rb1knobe Private E-2

    Anyone else suffering from this disease? Can't seem to get rid of it. Have followed Mjr Attitudes suggestions and pretty sure did all the things as instructed. System.ini shows user.exe is reinfecting with every startup. Can't seem to delete or over-write. Any suggestions? Help would be appreciated. My newbieness is showing and am very frustrated.
     
  2. TheOldThug

    TheOldThug First Sergeant

    After doing ALL of the READ ME FIRST Tutorial if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own foldeAr for example C:\Program Files\HJT
     
  3. rb1knobe

    rb1knobe Private E-2

    Ran current versions of AdAware, spybot, S&D, Win98fix, startdreck and tried to follow instructions given others with similar problems. No luck. Here's the HJT ran just now. Thanks in advance for the assistance.
     

    Attached Files:

  4. TheOldThug

    TheOldThug First Sergeant

    Will try to get someone to look at log today and respond. Hang in there.
     
  5. rb1knobe

    rb1knobe Private E-2

    Thanks, will do. Spywareguard catches the changes on startup but we do the dance for a few minutes to stop fast-search.org from doing its thing. Have noticed that it (or something else I can't find) puts some nasty sites in my IE favorite folder. Have no idea where these are coming from. My kids (17&21) use this laptop so who knows where they have roamed. Would like to put this Compaq Presario 1800 laptop back to work for a while. Need it for work and hate to cough up the $$$ if I don't have to.
     
  6. TheOldThug

    TheOldThug First Sergeant

    What message are you getting regarding reinfecting.

    I have looked at the HJT log and nothing jumps out at me. Hopefully Chas or PP can look at this tonight and come up with something.
     
  7. PhilliePhan

    PhilliePhan Guest

    How many different User Accounts are on this machine? These are all I see:

    O4 - HKLM\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe --> I am not familiar with this

    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -

    PP :)
     
  8. rb1knobe

    rb1knobe Private E-2

    Thanks for the response. There are three users but we don't log in separately. Just have 3 different email accounts via aol. I have been unable to ID the winsysrun.vbe also but not that familiar so thought someone there might know where and what it is and does. Curiously, when I scan with HJT it shows up twice every time I reboot. As I mentioned, I have to do the SpywareGuard dance everytime also because it tries to change my registry with this *&%$ fast-search.org thing. Usually hits me again when I'm online with the machine also. Like it sees the online connection and tries all over again. This would tell me the SpywareGuard dance isn't getting it all or it sees this address back online and hits it again, doesn't it?
     
  9. TheOldThug

    TheOldThug First Sergeant

    RB1

    Phillie will help you so I am backing out of this thread and getting out of his way.
     
  10. PhilliePhan

    PhilliePhan Guest

    Try this:

    Turn off SpybotSD's Tea Timer.

    Fix these two lines with HJT:
    O4 - HKLM\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -

    Boot to safe mode and RightClick C:\WINDOWS\system32\winsysrun.vbe to get Property and Version info. If none, rename it winsysrun.BAD - Then give me a fresh HJT log from Normal Windows Boot and tell me if the problems continue.

    PP :)
     
  11. rb1knobe

    rb1knobe Private E-2

    :) Nice job PP. This seemed to stop the dance with SpywareGuard and the fast-search.org junk from being sent to my register. TeaTimer is now off. The winsysrun.vbe file was a VBScript file but no further info on properties. Renamed and rebooted as suggested. BIG HELP and BIG THANKS!!! Yeah! Still have the darn nasty sites being stashed to the "favorites" folder on IE tho. I have tried delete from Windows Explorer after changing to "Read-only" from "Archive" but it comes back. What's the trick to keeping this stuff out of there? I had added all these sites to the IE options long time ago when this BS first started as not allowed but they just show up on reboot anyway. Ideas?

    rb1knobe
     
  12. rb1knobe

    rb1knobe Private E-2

    Oops. forgot the hjt post.

    rb1knobe
     

    Attached Files:

  13. PhilliePhan

    PhilliePhan Guest

    I'm not too familiar with Windows 98. . . .

    Fix these in HJT:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present ---> This is likely SpybotSD, but turn it off for now
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -


    Also, let's give this a try (Though I'm not sure how well it will work with Win 98).

    Please download this tool: Remv3.zip

    Unzip it to its own folder. Then, boot into Safe Mode and run rem.bat and attach the resulting log.txt along with a fresh HijackThis log and we'll see what there is to see.

    PP :)
     
  14. rb1knobe

    rb1knobe Private E-2

    Did the Remv3. task and have attached as requested. Also new HJT log. Noticed the log from Remv3 said it found text but didn't delete it. Assume this is tracking some bad stuff but maybe I didn't respond correctly to the inquiry at the result. What is the proper response if it asks for action?

    Thanks
    Rb1knobe
     

    Attached Files:

  15. PhilliePhan

    PhilliePhan Guest

    Those two logs are clean.

    What exactly are the items that you cannot remove?

    PP :)
     
  16. rb1knobe

    rb1knobe Private E-2

    PP - Just deleted them again so will have to reboot to get the actual websites they portray. One of which is the fast-search.org site tho. Others are XXX sites and they always are grouped together. Be right back.

    Rb1knobe
     
  17. PhilliePhan

    PhilliePhan Guest

    I've got to run - Being dragged out the door! Probably be back Sunday night.

    You should try running the latest updated CWShredder for Fast-search. A couple Online Virus scans couldn't hurt either. Will check back :)

    PP
     
  18. rb1knobe

    rb1knobe Private E-2

    :) Understand, got called away myself by the big boss. The problem with the "favorites" folder in IE has not returned since I turned off the protection and ran the fixes you suggested BUT they were there at first. Maybe the sequence was the key. Maybe I locked them IN inadvertently by WHEN I set the protection. Anyway, A BIG THANKS for the help. I will let you know if they manage to sneak back in. In the meantime, I have updated all the spy stuff, firewall and antivirus.

    You guys are doing great work. I wonder what the internet and technology could really be doing for people if there weren't the basterdly dasterds out there mucking it up in the name of dirty greed instead of clean business. Thanks for trying to level the playing field.
     
  19. PhilliePhan

    PhilliePhan Guest

    You're welcome! We are happy to help :)

    Keep us posted if you need further assistance.

    PP :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds