Virus Help for a computer illiterate

[OC Drew 2658]

Any help would be most appreciated. Something was downloaded onto my computer earlier today. I ran virus scan (McFee) and did mircrosoft ad delete and ad-ware. Nothing got rid of it. McFee recognized it, but said it was write-protected. I have been online all day trying to figure this thing out and delete it. Here is what it does: puts a bunch of desktop icons on the computer (porn, gambling...) and hijacks the homepage. Everytime i try to delete the stuff it just comes right back. Anything you genious computer guys can come up with to help me out would be great

[Gentoo]

Seems more like a spyware to me, did you try donwloading spybot or ad-aware to do a run on your system?

[bjgarrick]

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

[OC Drew 2658]

I did all of the steps in the do this before commenting and still have the problem. I ran the hijack this and will attach it. Thanks for the advice and hope to hear from you further. The website that keeps popping up states my PC is infected with "__winSterHJK v. 2011" accessed through ports: 3128 and 8080...Further, this is the site it leads to http://www.specialgoods.info/ad/ad03...ng/danger.html. This pops up on my web-browser without even opening internet explorer in addition to some other sites (pharmacy, graphic porn) and about 20 desktop icons that keep coming back even after being deleted. I thought I might include that, although i don't know if it will prove helpful.

[bjgarrick]

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the connwsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move connwsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file connwsp.dll is already in the remove section, then just click FINISH.)


Now, Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled:

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0337/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {C51C636F-FA2F-4615-9AC5-A0B84311EA00} - C:\WINDOWS\System32\kfadkk.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rainingdata.webex.com/client...ex/ieatgpc.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you have completed ALL of the above, Scan with HijackThis and attach the new log.

[OC Drew 2658]

Thanks for taking on the task. Everything still comes back. I know i turned off the system restore if you were wondering. Further, i am geting a runner error when starting up stating "invalick backweb application id "137903"

[bjgarrick]

C:\Program Files\Internet Explorer\iexplore.exe

This process is running in your log, did you close all browsers before you clicked fix? If not, this will be impossible to remove. You MUST close every browser even this one before clicking fix.

[OC Drew 2658]

I closed all of the browsers and printed the directions to follow. I am assuming you just mean closing the box by closing all browsers or do you mean stop the process in the ctrl-alt-del menu.

[bjgarrick]

Quote:

Originally Posted by OC Drew 2658

I closed all of the browsers and printed the directions to follow. I am assuming you just mean closing the box by closing all browsers or do you mean stop the process in the ctrl-alt-del menu.

Stop the process in Task Manager. All browsers must be closed or else this will not go away.

Please download, install, and update: Spy Sweeper
Then run a full scan with Spy Sweeper and fix what it finds. Post the log from Spy Sweeper as an attachment. Now boot into safe mode and run Spy Sweeper again. Save the log again. Reboot in normal mode and post both SpySweeper logs.

[OC Drew 2658]

Downloaded spysweeper and ran in normal and safe mode. It found and removed traces and items. I ran it a couple times though and subsequent time it found 1 item and 8 traces from the same place. I attached a copy of the log in notepad form. I also found a file that was created about the same time i started having all of these problems. I don't recognize the name of the file, may be you will "param32.dll" Thank you for your help and sorry i am getting back to you a day later as i had to go to work.

[OC Drew 2658]

I've been doing some investigating on the file "param32.dll" on my own. Here is a webaddress that describes my symptoms pretty well (desktop icons created are exactly the same, but what i have does not change my backgroud, but it does create popups). http://www.delrina.com/avcenter/venc...tophijack.html. I would follow the instructions there however McAfee virus scans do not recognize the file anymore and when it did, it could not delete it as it said it was write protected. Another suspicious file created around the same time I started having the problem I found was "popup_bl.dll". I hope this helps you in helping me. Sorry to write so much.

[bjgarrick]

The file popup_bl.dll is part of CoolWebSearch Trojan.

The file param32.dll is part of a Desktop Hijacker.


First, download and run the following utility:

CWShredder 2.14
(Click FIX instead of SCAN)

Next, check out the following website. It describes the file param32.dll and things that possibly could come with it. Search for EACH file and delete when found.

http://www.greatis.com/appdata/d/_/_sysdir__param32.dll_Removal.htm



After you doing ALL of the above, reboot and post a fresh HJT log.

[OC Drew 2658]

I had already downloaded and run CWshredder as part of the do this before posting thing, but i ran it again and nothing was found. I deleted everything that was found except fr the param32.dll as it says "make sure disk is not full or write-protected and the fali is not currently in use". I was in safe mode when i tried to do it, but normal mode doesn't work either. Most of the files i was able to delete just pop right back up (i.e. desktop icons). Thanks again. Below is my hjt log. I did close iexplorer.exe before i ran it per our prior posts.

[bjgarrick]

Please boot into Safe Mode with the viewing of hidden files and folders enabled per the tutorial.

Now,
Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

regsvr32 /u C:\windows\system32\param32.dll

regsvr32 /u C:\windows\system32\popup_bl.dll

Now,
Navigate to and delete both files!

Now, Scan with HJT and have it fix the below entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0337/


Reboot into Normal Mode and run the below online scans:

Bitdefender
RavAntivirus <-- select Auto Clean then click Scan My PC
TrojanScan
avast! Virus Cleaner Tool

Let me know if they find anything and what/where.

[OC Drew 2658]

I was able to delete all of the files and nothing seems to be popping up since yesterday. I have posted another HJT log just in case you want to take a look at it and make sure everything seems to be in order. Thanks a lot for all of your help even though I seemed to have broken all of the cardinal rules of the forums you still helped me out.

Best,
Andrew

[bjgarrick]

Scan with HJT and have it fix this entry:

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)


After fixing the above entry your HJT log will be clean. Are you having any further problems?

[OC Drew 2658]

Did as you told. No further problems, thanks.

[OC Drew 2658]

One more thing, should i reset all of the things that i changed in the orignal do this before asking for help such as allowing the system restore, etc after i have gone a while without any problems.

[bjgarrick]

Quote:

Originally Posted by OC Drew 2658

One more thing, should i reset all of the things that i changed in the orignal do this before asking for help such as allowing the system restore, etc after i have gone a while without any problems.

Yes, you can now enable System Restore and uninstall/delete anything I had you install, thats up to you though.

You should see this article on How to Protect yourself from malware!