Help Me Please

Major Geeks,

I need your help. My Computer every 20 minutes or so is trying to download a less than "wholesome" site. I have absolutely no idea how this has happened, but that is neither here not there. I have done my best to understand your protocol and here is what I have done so far.

I have read your basic tutorial regarding scanning for viruses and spyware. I have followed each step as best as I could. I have XP and my dial up is through Juno Platinum.

As I said, I have followed each step - and I hope I have done them all properly. I am not geekable, so bear with me.

1. I prepared my computer to be scanned.
2. I believe I have followed your directions properly to show all hidden files.
3. I downloaded all the tools you recommended .
4. I scanned and cleaned using Bitdefender and RavAntivirus. Bitdefender did find some trojans and reported that they were deleted. Some that they found were simply viruses that my Symantec had quarrantined. [ One Caveat: I was unable to do any of these scans in safe mode. I could not figure out how to do it with juno.
5. I then followed all the directions as to cleaning the hard drive and using spyware.

After doing this, all of this has continued. Every 20 minutes or so, even if I am doing word processing, my webbrowser will come on trying to get me to this site.

I am aware that my "patches" are not up todate. Dell three years ago told me not to do that and said that they were causing problems. So I didn't do it. With my own computer at home, Dell told me that they are now recommending this. Who can figure? Anyway, while I want to update those patches, i.e. service pack 2, I wasn't sure if I needed to fix this problem before adding it.

Can you please help me?!

BLG

 

You will need to make sure your system is clean of all malware before you update and apply SP2.After doing ALL of the steps in the sticky you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Thank you for your help.

I believe I understand how to do this. So here goes. If it doesn't show the attachment, I will see what I can do to make it work.

BLG

 

You do not have HijackThis installed as requested. HijackThis should be installed in a safe location such as C:\Program FIles\HJT or C:\Program Files\HijackThis.

Download
- Pocket Killbox
- L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe.
Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop.

DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your message.

Please don't run any other files in the L2MFix folder.

Remove the following from Trusted Zones in Internet Explorer:

Look in Add or Remove Programs in the Control Panel and uninstall the following if found:[size=-1]

[/size] Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight

Choose Kill Process

Now scan and have HJT Fix the following:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE open Windows Explorer navigate to and DELETE the following folders.

Reboot post a new HJT log.

 

Shadow_Puter_Dude,

Thank you for your help thus far.

Before I go any further and do something wrong, I need to inform you of what steps I have done.

I have downloaded both pocket killbox and l2mefix tool as you said. I have run l2mefix and I will attach the log here.

I went to Explorer and tried to delete Trusted Zones, but found only two:
*.asdbiz.biz and trusted IP range 67.19.178.84

I looked in Add or Remove Programs and did not find PurityScan or Clickspring but I did find an odd one there OIN. Before when I tried to delete it, it says something to the effect that it cannot find the files to it, but that it can remove it from the program list. Should I remove it from the list??

Finally, I used HJT and did as you suggested by opening the Misc Tools Section and chose Process Manager. I did not find any of the following:
C:\WINDOWS\System32\efsdfgxg.exe
C:\WINDOWS\System32\d?xplore.exe
C:\Program Files\rdso\eetu.exe

However, I need to tell you that yesterday or the day before, I did some searching of my processes on the internet and found that the efsdfgxg.exe and the eetu were bad ones, so I ended those processes through my Task Manager. So, before I go any further, I need to know if what I did changes any of your directions to me.

I appreciate your patience.

BLG

 

Just do what you can in the directions I gave you, when finished post a fresh HJT log. You can remove OIN from Add or Remove Programs.

 

Alright. I've done what you said and I have attached my Hijack This File.

Let me tell you a couple things just so you have the info:

I did not find in the HJT Fix scan any of the two 017 lines. Did I do something wrong??

When I ran HJT Fix, I got an error message that said:
Unexpected error occurred! Error #52 (bad file name or number) in sub Getlong Path(?exe). Please send a report to merijn@spywareinfo.com and metnion what you were doing and what version of windows you have. This mesage has been copied to your clipboard.

Finally. When I ran safe mode and went to delete those three files I only found the last one, the rdso. I did delete it.

Thanks,
BLG

 

Now scan and have HJT Fix the following:

Reboot post a new HJT log.

 

Okay. Attached is the newest Hijack This. I am happy to say that I have not had any of those web pages opening!

I might be getting ahead of myself, and I will wait until you tell me, but when I do put service pack 2 on my computer, can I use the microsoft windows firewall that is included in it (I think it enhances the Mircosoft one that comes with my computer) or is it in my best interest to put on a better one?

I await further orders.

Very thankful,
BLG

 

Your log is clean.

The Windows Firewall is not a true firewall. Read the thread on How to Protect yourself from malware!

 

Shadow_Puter_Dude,

I want to thank you very much for all the time and effort you gave me today to fix this problem. I can't tell you how frustrated I was, and how relieved I feel now. I will certainly direct others to your site.

Also, I will follow the advice in your last post.

Thank you again,

BLG

 

You're wlecome, surf safely.

 

I'm sorry to bother you again. I really thought I could stop bugging you.

I installed xp service pack 2, but when I now go to my firewall settings, it says, "Due to an unidentified problem, windows cannot display my firewall settings."

Do you have any idea what's wrong? Or do I need to take this to a new major geeks forum?

BLG

 

This is more an issue for the software forum. If you could please post there, one of the others or myself can help you in that forum.