Grandparents Need Help Fast Please

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Filterless, Dec 26, 2004.

  1. Filterless

    Filterless Private E-2

    I am at my Grandparents and there PC is infested. I have only a few days till I have to go back home (1300miles). I have ran Ad-Aware SE Pro & it removed 370 infections. There is still something there I can't seem to find that is causing popups. I have been going through the Hijackthis log file and I am at a loss... Any help would be nice, but really fast help before I have to leave here would be a great. I hate I am on such a short time table. :confused:
     
    Filterless, Dec 26, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Major Attitude, Dec 26, 2004
    #2
  3. Filterless

    Filterless Private E-2

    Thank You for the speedy reply!
    I did what you said to do and here was the results.

    Trend Micro's Online Virus Scan found 2 viruses and I manualy removed them after it failed.
    Norton Found nothing at all and said I was safe
    Ad-Aware SE Pro + VX2 Plugin - 370 Items Removed + 0 Items with VX2
    CCleaner - Many Items Removed
    Spybot S&D + DSO Fix - Immunized - Items Removed
    SpywareBlaster - Ran
    Stinger - 0 Items
    CWShredder - 0 Items
    Kill2Me - Ran
    about:Buster - Ran
    HSremove - 8 Items Removed

    After a reboot when I got the the desktop something installed with out me being able to stop it or find out what it was. Also, When I go to non-popup sites like www.google.com's main page and http://forums.majorgeeks.com/showthread.php?t=35407 there is still popups.

    Is there anything else I can do? :eek:
     
    Filterless, Dec 26, 2004
    #3
  4. Filterless

    Filterless Private E-2

    Yes I have Hijackthis 1.99!
     
    Filterless, Dec 26, 2004
    #4
  5. todbran

    todbran Private E-2

    Start in safe mode (reboot, tap F8 during start up) and run all of the spyware, antivirus etc programs. If that doesn't work, try to identify the pop up. Do a search in the registry (regedit) for any programs that shouldn't be there. Look in the C: drive/programs and see if there is anything out of place there.
     
    todbran, Dec 26, 2004
    #5
  6. Filterless

    Filterless Private E-2

    I have already ran all the spyware tools in safe mode! I have also looked to see what was installed in the C:\progra~1 dir, and I am at a loss.. If I knew anymore I would have fixed it by now. I also have no clue of how to find files in the reg that are not ment to be there. That is why I came to this site for help!
     
    Filterless, Dec 27, 2004
    #6
  7. todbran

    todbran Private E-2

    Then run regedit (start/run, type regedit, hkey_local_machine software) go through and look for it there.
     
    todbran, Dec 27, 2004
    #7
  8. PhilliePhan

    PhilliePhan Guest

    Hi Filterless,

    Please send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I am not around too often these days, but somebody should be able to take a look and fix you up!

    PP :)
     
    PhilliePhan, Dec 27, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    BAD IDEA. Most installed programs can be seen in Add/Remove programs. You should avoid sending people to use regedit before knowing there capabilities and before doing so the registry should be backed up.
     
    chaslang, Dec 27, 2004
    #9
  10. Filterless

    Filterless Private E-2

    Here is the log file in txt, Thank you :)
     

    Attached Files:

    Filterless, Dec 27, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Look at Add/Remove programs for WeatherBug if installed, uninstall it.

    Download LSP-Fix to your other computer and then get it on to your broken one.
    Download it here: http://www.majorgeeks.com/download4180.html
    Unzip it and run it. Check the Box labeled "I know what I'm doing" and then click on the osmim.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move osmim.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    Then reboot! While you do that I will continue to look at you HJT log. Be back soon.
     
    chaslang, Dec 27, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay looks like I beat you back!

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    c:\windows\system32\mksc.exe
    C:\WINDOWS\system32\bretiuxh.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: (no name) - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - (no file)
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [dbvtxb] C:\WINDOWS\system32\bretiuxh.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/080d2b426bb0ec6a7a04/netzip/RdxIE601.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/kontiki/kontiki/current/kdx.cab

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    c:\windows\system32\mksc.exe
    C:\WINDOWS\system32\bretiuxh.exe
    C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\wupdt.exe
    C:\Program Files\AWS <--- the whole folder if it still exists

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 27, 2004
    #12
  13. Filterless

    Filterless Private E-2

    There was a prob uploading the log file to the Major Geeks server, but it can be found @ "http://forums.majorgeeks.com/attachment.php?attachmentid=13410"
    I tried to del it and resend it, but it will not del.

    Now for what I did,
    When running hijackthis there was an "Error: Hijackthis cannot repair O10 Winsock LSP entries. You should use LSPFix for that, which is available from http://www.cexx.org/lspfix.htm."

    I just read where you said to dl LSPFix... OPPS.. let me go do that - - Done... and now hijackthis does not see it... GREAT

    I also could not find systb.dll, but there was a systb.exe and I did del it.
    I have had one popup since I get back here at Major Geeks, so that is a big improvment! :)
     
    Filterless, Dec 27, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to upload a new HJT log. Give it a different name than last time. Using a number sequence works well. Like log1.txt, log2.txt etc Each time you upload it must have a different name.
     
    chaslang, Dec 27, 2004
    #14
  15. Filterless

    Filterless Private E-2

    Here is another log file for you!
    Thanks again for all the help :)
     

    Attached Files:

    Filterless, Dec 27, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You log looks clean now although I have to ask about a new entry that appeared.

    Did you add the below start page? If not, have HJT fix the below line.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm

    Any other problems?
     
    chaslang, Dec 27, 2004
    #16
  17. Filterless

    Filterless Private E-2

    yes, I did add that to the start page. It is what they wanted.
    Thank you for all your help, this PC is now acting like a new PC. THANK YOU!
    thank you, thank you, thank you!
     
    Filterless, Dec 29, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 29, 2004
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds