A victim of my friends and "free porn"

I cant thank my friends enough for using my computer to try and find the paris hilton video. Its really made my week so far, scanning my computer and getting no work done is exactly how I like spending my time.

I had a lot of spyware, adware, viruses all over my computer, so I went through your tutorial step by step, including most of the optional steps. The virus scanners stopped finding anything so i thought my computer was clean.
However now I find that nothing much has changed. My main problems are listed:
1) about:blank - didnt show the three signs in the tutorial, but still there
2) popups leading me a strip poker site, also fake windows alerts leading me to spyware sites.
3) those same popups periodically take over my internet when I am working on it and switch to those same sites or other pornish sites
4)A new toolbar labeled as "HP View" but has buttons leading to many of the same sites, from strip poker to random webcam rooms (I am not clicking those links, dont worry)
5) Just about every time I rescan something comes up, whether a trojan or some spyware.

This problem is way above my skill level, so I am asking for anyones help. I am currently going to read the hijack tutorial so if you want me to post the file just tell me. Thank you to anyone that can help.

 

before you post a log, make sure you go through the alternate scans listed at the bottom of the first tutorial.

 

To start off, thanks for replying. I went through all the scans at the end of the list and this is what I am left with.

Unfortuntately nothing is gone.
1 piece of malware found and gone. Terminater.exe was its name
the trojan scan found nothing
bit defender found a few things, but was unable to unifect
Do you want me to post some of the files. I can erase the 40 pages of bit defender finding every element that is password protected, or include that. Mostly I am hoping you know more than I do. I also went through the searchs for hijack with your other tutorial and took their advice on the nasty or malicious elements.

Please tell me what I should do next. Thanks

 

post your log as an attachment please

 

Here is my Hijack This file. If you would like to see any of the other logs just lte me know, ill make a log of those as well. Thanks for your help.

 

Kodo, or anyone else that might know.
I have my log posted, just wondering if anyone has any advice on what I should do. I am sure there are a quite a few things. Thanks

 

Looks like Kodo is tied up, so I'll get you started

C:\WINDOWS\System32\rasauto.exe ---> I haven't been able to pin this down, so I'll leave it alone.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it if possible:

getdns.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab

O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://fastsearchweb.com/counter/new/x.chm::/update.exe

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab


Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\iecust.dll

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let us know of any problems you may have encountered with the above instructions and how your computer is running now.

Best luck
PP

 

Thank you, as of right now, the HP view toolbar is gone, and after switching my home page adress, closing iexplorer and coming back, it still is not about blank.
I have my hijack this log posted. I am pretty sure I should delete the line for iecust.dll, but wont do it unless you say so. Also, what is the toolbar called "freshbar" I have not heard of that, so I would like to delete it as well since opening that toolbar only puts a small space inbetween existing ones. Seems irrevelant. Thank you for your help PhilliePhan. You don't know how much I appreciate it.
Mike

 

Alright, as soon as I posted that last post. The strip poker site took over my computer again. Someting must still exist in there somewhere. I didn't find getdns.exe on my processes. Maybe that, or the unknown program might be doing this. Sorry for being such a pain.
mike

 

Hi Mike,

I am sorry to say that you have one of the new breed of Nasty Malware that may be beyond my ability to fix. It consists of this Trusted Zone item: O15 - Trusted Zone: http://*.63.219.181.7 and a few hidden and extremely difficult to find .exes such as getdns.exe.

I am still in the process of studying this one. Some generic tools are available on the net to remove this baddie, but they require a lot of expertise to run properly.

Also, is rcn.com legitimate as your ISP?

I will PM our resident genius, Chaslang, to have a look at your thread. In the meantime, use HijackThis to fix the following:

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll (file missing)

O15 - Trusted Zone: http://*.63.219.181.7

O16 - DPF: RaptisoftGameLoader -

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} -

Make sure all browser windows are closed when you click FIX>

Reboot to normal Windows and give us a fresh log. I've got a few ideas & I'm sure Chas will have a suggestion or two. One of us will get back to you when we can.

ALSO, Please download the following tool:

Pocket KillBox

Please keep it handy!

Hang in there

PP

 

Ok, did what you said. log is attached as well. Other than that...
1) I was originally going to use rcn internet connection, but instead got a wireless connection and am using my neighbors connection instead. Should I fix it?
2) questions. For some reason, in the close/expand toolbars at the top top of the screen, google seems to have disappeared, instead it is just a blank space. HP view is there, but shows up as nothing, it just makes the google toolbar a little bigger, with no added buttons. I dont know if this HP thing is legit, but I have never used it. (I do have an HP Pavillion though)
Thanks once again for all your help.
Mike

 

Thanks for joining the help campaign. I have never heard of that site or seen it, How do I get rid of it? Thank you for the help. Until then I will take care of everything else. Also , please tell me if you want me to post another log. I can't thank all of you enough.
Mike

 

Thanks for taking me under your wing chaslang. Its nice to see someone representing Northern NJ. I live up in that area too.

First off, I deleted norton. I never subscribed to it anyway because you guys offer better stuff on this site. Is avast a lot better, if so I will download that and use it.

I did what you said, and looking at the log file, the trusted site is already back. Should I try it again or is this going to be a tricky one. Somehow I suspect the second and more painful answer to that question.
mike

 

Alright. Gotta love finals week, a test in 4.5 hours... so this is a great way to not study. here are the two files. Hope they do you some good. Also, the link for killbox you gave me didnt work, but I downloaded it earlier from

http://www.downloads.subratam.org/KillBox.zip

tell me if that will suffice, or if it is out of date.
mike

 

Hi Mike,

Chas & I are squishing our brains together to work through a fix. Hang in there!

He forgot to add that you need to download this as well:

http://www.thespykiller.co.uk/files/Removems4hd.reg

Just keep it handy for now.

I've got to crash, but Chas or I will get back to you Tuesday!

***If you got Pocket KillBox from my link, it is fine.

PP

 

I really appreciate everything you are doing. Keep this in mind, if you guys are near me at any time...
If you can get my computer to stop trying to get me to play strip poker. I am buying beer for the night, and that is a promise.
Thanks for everything. Ill be up and annoyed tomorrow. See ya
mike

 

We may hold you to that!

The look log is clean. That is confusing! Not what I expected to see.

We will have to try again tomorrow. Or, rather, later today

PP

 

Ok, so the search stopped working at 76000 looked at. When trying to stop the search so I can restart it. I keep getting the screen access violation at adress 0049d685 in module "rl.exe". write of adress 030E005c. Same thing happens when I try to close the program.

It finds this error in
HKEY_LOCAL_MACHINE\SORTWARE\Classes\Software\Applications\winword.exe\TaskbarExceptions\WordMail\NewExeName

Am I an idiot. I am not in safe mode, is that neccessary. I will be at a final from 4 until about 6 so I wont be able to respond until then, but will be back in full force to try and get this thing fixed. Thanks
mike

 

Ok, so round 8 begins I guess.
I had to actually go into safe mode for reglite to work. I only say that in case it gives you any hint as to what a problem may be.

My complete and utter incompetency showed up using this apparently easy program. After performing the scan I could not find any button to print it, so i select each folder or file seperately, hit the jump to button, copy what folder it brought me to, and then copied that into a .txt document. Not knowing what any of it means, i put everything that came up, including all files inside the folders that were displayed. Sorry its a lot of info, but I just wanted you to see it all. Thanks chaslang.

 

Hi Mike,

I have an idea that may work, if you have a slightly older version of this baddie. Bear in mind that I've not tried this before, so it is definitely a "Do at your own risk" proposition. I doubt any harm would come of it, though.

Let me know if you want to give a go.

If so, Please download this: REM.Zip


I'll check back.

PP

 

Hey philliephan. At this point Ill try dunking my computer in water if you think it will get rid of the incessant strip poker take over, etc.

Lets give it a whirl. Worst case scenario I reformat my computer right? right? just tell me its not jail time and I'm okay.

Mike

 

AllRightyThen!

Please follow the instructions carefully! Hopefully, I didn't make a mistake

Please download REM.Zip from the link in my previous post and extract the two files (rem.bat and zip.exe) to the C:\Windows\System32 Folder.

NOW:
Boot into Safe Mode and double click the rem.bat file to run it.

Then, while still in Safe Mode, scan with HijackThis and save the log.

Next, Reboot to Normal Windows, scan with HJT again and save that log.

Please attach those logs. Label them Safe & Normal.

THEN:
Look in Local Disk C: and find log.txt. Open it and copy and paste the contents into your post.


I have really got to crash! I'll try to take a look tomorrow.

Best Luck
PP

 

well so far so good. Did all the steps exactly as posted. The two log files are connected, and below is the lsit from the log.txt. Its kinda long, which i am sure will give you plenty to look at tomorrow. Best of luck. I have a good feeling about this one.

mike

 

one more thing i forgot to post in the previous reply. For the first time now, when I started up it said it could not find the following file. netssh.exe. Do you know if this is important or not?

Do the below and see if it still gives you that after you fix with HijackThis. Also, I will attach the other log in this post. ~ PP

 

Hi Mike,

Make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

Boot into Safe Mode and Scan with HijackThis and check the boxes fro the following:

O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe

O4 - HKLM\..\RunOnce: [netssh.exe] netssh.exe

Make sure ALL Browser Windows are Closed when you click FIX

While in Safe Mode, use Windows Explorer to try to find clfmon.exe and netssh.exe and DELETE them if found.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

ALSO: Look in C:\Windows\Prefetch - Select ALL and DELETE

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

ALSO: InLocal C: you should find bad.zip , bad.reg , and log.txt. Create a new folder and move those three into it.

THEN: Look at your "Favorites" list and see if this baddie added any Interesting Links that need to be removed.

It does look like the tool did the job!

This time, I really am going to sleep. Catch you at a more reasonable hour!

Best luck
PP

 

Hey Mike,

Have HJT Fix this too (in Normal Windows):

O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll (file missing)

PP

 

Well I did everything you had written, and so far everything looks excellent, although it was tempting to visit some of those links they put into my favorites box... I mean who wouldn't want to work from home or get free viagra. The real test will come tommorrow, because every morning I wake up there are about 5 to 10 popups, so when I wake up around noon I will write in and tell you.
Thank you so much for your time, hopefully around noon I can tell you Im buying beers.
Mike

P.S. since you have gained my respect and trust. I am looking to make my computer more efficient by going through and disabling all the nonsense windows starts up for no reason. There are a million ways to do that written on this site, which do you recommend? Thanks PhilliePhan

 

everything is completely solved. I can't thank you enough for spending what seems like an eternity helping me out.Both of you guys really do deserve more than just some thank you's from people like me that constantly destroy their computers. Unfortunately it looks like that may be all you will get though.
There really isnt much more for me to say except "I'm buying beers for the night I guess"
Thank you so much. Ill make sure to find smarter friends in the future.
-Mike

 

Hey chaslang I actually live in bergen county. A town called Ridgewood, its right next to Paterson and very close to Paramus. If you dont know any of those, I am about 5 minutes from the garden state plaza. Where do you reside. Also, is this a building where you guys work or is it out of a home. I am interested in the whole majorgeeks website. If you guys are close enough, ill just roll in with some cases sometime.
Mike

 

Hey Mike,

We are all over the place. I am in Ohio, right now. This is just a community forum and Chas and I and the others who respond are just regular visitors with a little free time to contribute. We get contributors from all over the globe!

Speaking of contributing - If you are so inclined, visit this site and contribute to Derek's effort and Save a Hedgehog.

http://www.thespykiller.co.uk/

Though he did not make the final tool that fixed your computer, it might never have been made if he didn't get the ball rolling! Much of the early data on this baddie was compiled by Derek. He is basically a volunteer malware fighter like Chas and me.

Anyhoo, I'm glad we could help you work this out! Since I am not really a "Techie," I enjoyed the challenge!
In addition to getting smarter friends , You ought to implement some of Chas' suggestions HERE: How to Protect yourself from malware!

For the Startup Items, you should ask in the Software Forum. Although, they will likely point you to Black Viper.

http://www.blackviper.com/


Best

PP

 

Just half?
Light-weight!

 

Hey guys. Thanks so much for all your help. PhilliePhan, I dont know if you personally correspond with Derek Night, but I gave him your name. I did donate. Turns out the conversion from dollars to pounds sterling is horrid. Well thanks. How does someone in Ohio become a phillies fan. or for that matter, anyone become a phillies fan (north new jersey over here... had to say that). As for your beer, I don't travel to ohio too much, but if you are orignally around the the PA area I am currently a grad student out in the lehigh/allentown area. I can get you then.

Chaslang, do you ever go to the bars around there. I got...umm dragged to two called circa and chakra. Not my scene, but nice places none the less. Do you ever venture into ridgewood for their wild and crazy (read: not so wild and crazy) bar scene. If so, tell me. Ill buy you a beer for your services.
Thankyou, you volunteer protectors of the computer idiots.
Mike

 

Hi Mike,

Been a Phillies fan for 30+ years - It's a long story. . . .

I plan on doing Grad School myself in the coming year. I'm getting old, though, and don't party nearly enough anymore! It'll be strictly business for me!

I don't know Derek personally, but since I am interested in Malware, I try to keep up-to-date as much as possible. This includes checking out the work of others who fight the good fight. And, I believe in giving credit where it is due and, in this case, he was the one who first came up with a fix for this baddie.
So, I am happy that he is able to get a little good will in return!

Happy Holiday Computing

PP

 

Not sure where things stand, but in safe mode, try accessing system32 and select View,List,Details. Toggle the date column to find the most recent entries. You probably will find iecust.dll, iecust.exe and several other .exe and .dll files "timestamped" at about the same time. Go to command prompt and delete the files in "DOS mode"--however, do NOT delete wpa.dll. If you want to be extra careful, you could rename the files (e.g., xxx.dll to xxx.old)..just to make sure you are not deleting a non-spyware file. Reboot and try surfing..