HELP! I've done everything on the 'do this first post' & my system is still eaten up!

Discussion in 'Malware Help (A Specialist Will Reply)' started by gullicat, May 18, 2005.

  1. gullicat

    gullicat Private E-2

    I went through each of the steps in
    http://forums.majorgeeks.com/showthread.php?t=35407

    i still get goforsearch.com popups when i am not online and about:blank is still overiding my opening page for browser. and anytime i move pages startsearches.net tries to divert me. I am unable to access my web email account b/c it won't allow me to hold the page by refreshing w/o error messages.

    it has started messing with the phone which we do through internet too- dropping calls and missing functions.

    we have cable internet.
    I completed the steps in 'getting prepared'
    I loaded/updated the 10 tools
    I put it into safe mode and ran everything as instructed

    everything seemed to do its job

    i did not do optional or alternative steps at the bottom.

    I had to set up another computer to post on the forum... mine is so 'ate up'.
    husband downloaded a music translation utility last night and thinks that that is what did it...

    meanwhile, my computer is unusable.

    I would dearly love more help.

    -gullicat
     
    gullicat, May 18, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 18, 2005
    #2
  3. gullicat

    gullicat Private E-2

    second scan

    okay, i will go get the hijack this,
    but after i had run all the things once, i went back and tried to run through them again. the house call came back clean and the symantec security scan was green except for update needed, but when i ran the symantec virus scan it froze. when i ran it on non-safe this came up-

    43610 files scanned, 79 file(s) infected on your disk drives.


    No viruses were detected in memory.

    Your computer is free of known threats. Virus Detection does not check compressed files.

    Your computer appears safe for now. For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.

    No viruses were detected in memory.

    The scan was cancelled before finishing. To restart the scan, click here.

    Your computer is free of known threats. Virus Detection does not check compressed files.

    Your computer appears safe for now. For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.

    Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.

    Warning! The scan detected a virus that is active in your computer's memory.
    The scan ended to prevent further infection.

    You should shut down your computer immediately and restart it with an antivirus rescue disk or similar tool.


    No viruses were detected in memory.

    Your computer is infected with at least one known virus or Trojan horse.

    Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.


    No viruses were detected in memory.

    Your computer is infected with at least one known virus or Trojan horse.

    Note: The scan was cancelled before finishing. There may be more infected files on this computer.

    Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.


    A scan has not been run. To start Virus Detection, click here.

    C:\bsw.exe is infected with Trojan.Desktophijack
    C:\WINDOWS\mxTarget.dll is infected with Adware.MXTarget
    C:\WINDOWS\popuper.exe is infected with Trojan.Pepop
    C:\WINDOWS\SYSTEM32\hp1BF5.tmp is infected with Trojan.StartPage
    C:\WINDOWS\SYSTEM32\intmonp.exe is infected with Trojan.Pepop
    C:\WINDOWS\SYSTEM32\ole32vbs.exe is infected with Adware.Massfav
    C:\WINDOWS\SYSTEM32\shnlog.exe is infected with Trojan.StartPage
    C:\Program Files\Support Software\SS2.DLL is infected with Adware.MediaLoad
    C:\Program Files\scbar\v9\scbar.dll is infected with Adware.WindowEnhancer
    C:\Program Files\scbar\v9\scbar.exe is infected with Adware.WindowEnhancer
    C:\Documents and Settings\Dad\Favorites\Black Jack Online.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Home Loan.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Job Search.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Network Security.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Dating.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Pharmacy.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Remove Spyware.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Spam Filters.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Web Detective.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Air Cleaner.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Cell Phones.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Computers.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Direct TV.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Gifts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Laptops.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\LCD Multimedia Projector.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Leg Exercise Machine.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\shopping\Skin Care.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Adult Dating.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Breast Enlargement.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Escorts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Generic Viagra.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Penis Enlargement.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Photo Personal.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Sex Toys.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Sexual Enhancers.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Single Girls.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Swinger Clubs.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Viagra for Woman.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Sexual Life\Viagra.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Baccarat.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Bingo.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Black Jack.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Free Chips.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Horse Racing.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Lottery.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Online Casino.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Online Craps.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Online Gambling.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Online Poker.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Roulette.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Slot Machines.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Sport Betting.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Online Gambling\Wagering.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Audi Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Audi Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Auto Dealers.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\BMW Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\BMW Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Car Financing.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Car Insurance.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Car Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Honda Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Honda Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Lexus Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Lexus Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Mercedes Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Mercedes Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Mitsubishi Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Mitsubishi Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\New Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Opel Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Opel Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Toyota Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Toyota Parts.url is infected with Adware.Massfav
    C:\Documents and Settings\Dad\Favorites\Cars\Used Cars.url is infected with Adware.Massfav
    C:\Documents and Settings\All Users\Start Menu\Computer Security.url is infected with Adware.Massfav
    C:\Documents and Settings\All Users\Start Menu\Spam Filters.url is infected with Adware.Massfav



    huh?

    okay, so off to hijack this

    thanks for helping
    -gullicat
     
    gullicat, May 18, 2005
    #3
  4. gullicat

    gullicat Private E-2

    okay, here is hijack log

    log1
     

    Attached Files:

    gullicat, May 18, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: okay, here is hijack log

    First answer a quest! Are any of those Favorites things you saved? Or were they all added by the Adware.Massfav problem?

    Now download this: ABIremover

    Unzip it into its own folder. Now boot into safe mode with no network support and do not open any browsers. Now run the the ABIremover.exe file.

    When done reboot into normal mode and post a new HJT log.
     
    chaslang, May 18, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 18, 2005
    #6
  7. gullicat

    gullicat Private E-2

    hjt log 2- web problems too

    i ran the remover.

    none of those favorites were ours.

    the startsearch thing that tries to overtake the browser every time i switch pages ... is that attatched to the about: ?

    here is hjt log #1 from user 1
    i'll post log from user #2- in just a sec.
     

    Attached Files:

    gullicat, May 19, 2005
    #7
  8. gullicat

    gullicat Private E-2

    hjth log from user #2

    my (mom's) desktop has not been affected (because i have been staying off of it), but the net is still taken over. i don't know whether the logs would differ or not... but here it is
     

    Attached Files:

    gullicat, May 19, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: hjt log 2- web problems too

    Okay let's work on log at a time to avoid getting ourselves confused. For your log in message # 7, I'm still worried that some items may be lingering around. So let's run the procedure below to make sure nothing is hiding. You may or may not find many of these items so just work thru all the steps anyway to be safe.

    But first one important note. You appear to be running both McAfee and AVG antivirus programs. You must run only one AV. So pick the one your prefer and uninstall the other.

    Have you removed all those bad entries from your favorites? If not, you should do so now.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
    Search Maid
    Security IGuard
    Virtual Maid

    Now exit Add/Remove Programs.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hp3C19.tmp
    O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\msmsgs.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    C:\WINDOWS\system32\hp3C19.tmp
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\Program Files\Search Maid<--- the whole folder
    C:\Program Files\Security IGuard<--- the whole folder
    C:\Program Files\Virtual Maid<--- the whole folder
    C:\Windows\System32\Log Files <--- the whole folder


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and continue with the below.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

    Now please download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    Now post a new HJT log. And tell me how things are working.
     
    chaslang, May 20, 2005
    #9
  10. gullicat

    gullicat Private E-2

    after steps...

    removed Mcaffee
    removed bad favorites
    had already restore diabled and hidden files visible

    none of the three programs werer in the prog list

    fixed both desktops with hijack this

    deleted files virtual maid and windows sys 32 logfiles- these were the only ones present in explorer

    reset web settings on both desktops

    have loaded opera browser to use b/c unable to use explorer any more.

    ran cc cleaner

    was unable to put the registry addition in b/c my only choices to save as type are- rich text, text doc textdoc-MSDOD, Unicode. i tired as richtext and it wouldn't allow it

    did hoster on both desktops.

    still getting goforsearch popups, about:blank and dofinder.com and startsearchers.net. - so much so that explorer is not useable.

    when i rescanned with hijackthis, i see that the about and searchers files are on there again....

    i have unhooked cable except when using.
    hijack log is attached.
    what now boss :)?

    thanks much for the help
    -gullicat
     

    Attached Files:

    gullicat, May 20, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: after steps...

    You did not cleanup all the files I listed. They are still appearing in your log. All of these processes and files are still present:

    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\system32\hp712F.tmp

    Run all the steps again. And make sure you locate and delete these files as they are on your PC.

    Also select text doc textdoc-MSDOS when you save the file to merge into the registry. Then later you will have to rename the file so that it does not end in .txt It must end in .reg.
     
    Last edited: May 23, 2005
    chaslang, May 20, 2005
    #11
  12. gullicat

    gullicat Private E-2

    Okay :)

    did your instructions again.

    then ran HJT- about and startsearcher were on again- after i had just removed them!

    also- every time i 'fix' HJT when it gets to the BHO file, i get an AVG trojan alert re:

    ran CCcleaner
    ran about:buster- none found
    restarted
    rand kill2me
    ran HSremove- 8 items removed in the 'remove remnants' category
    ran ABI remover
    ran stinger- just showed 9thousand something clean files- no indication of found problems
    ran AVG anti virus- no viruses found
    ran CWshredder- none found
    -----------

    ran adaware SE- 3 critical objects (removed):
    Regkey dataminer HKEY_CLASSES_ROOT:interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\

    RegValue dataminer HKEY_CLASSES_ROOT:interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f} ""

    Regkey data miner HKEY_CLASSES_ROOT:typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\
    ---------------

    ran spybot search and destroy- removed coolwwwsearch.tooncomics
    -------------

    cc cleaner
    deleted prefetch folders
    hijack this- 'fixed' R1 about:blank x1, R1 startsearch.net x5, R0-hsremove.com x2, R0 startsearche.net x1, 02 BH) FFFFF.. x1

    ran Hsremove- 8 items removed
    ran about:buster- no ADS found on system, attempted clean of temp folders
    cc cleaner
    restart

    Ran HJT and deleted about:blank and many startsearch.net on 2nd desktop, ran cc cleaner and restarted.

    'dad' 's HJT log is attatched

    also- i have switched to Opera browser. is there anything i need to do to 'shut down' or disable Explorer?

    really thanks tons!

    -gullicat
     

    Attached Files:

    gullicat, May 22, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see any problems in your HJT log. The below two lines can be fixed but they are not malware problems. They are just cleanup issues:

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    You cannot disable Explorer. It is your Windows shell. Or did you mean Internet Explorer (iexplore.exe)? It is also intergrated into the OS and you will need it for a variety of websites including Microsoft.
     
    chaslang, May 23, 2005
    #13
  14. gullicat

    gullicat Private E-2

    thanks so much- it seems all clean.

    I really appreciate the help.

    -gullicat
     
    gullicat, May 24, 2005
    #14
  15. moyupae

    moyupae Private E-2

    Re: HELP! I've done everything on the 'do this first post' & my system is still eaten

    *sigh* will there ever be a day when we don't have to run a windows machine through a gauntlet of programs just to keep unwanted files from bogging down our systems? :rolleyes: If only mac and linux could get their act together enough to buy up some of the market share...
     
    moyupae, May 24, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! So if everything is working okay now, you should check out the below to help keep you clean:

    How to Protect yourself from malware!
     
    chaslang, May 25, 2005
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds