I am stuck for ideas

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hipster, Nov 7, 2004.

  1. hipster

    hipster Private E-2

    Hey there
    I was hoping you may be able to help me.
    After letting someone else use my computer it is completely rooted, my desktop has became an add, which I removed, but now it flashes and it is now not a desktop in the traditional sense, ie I cannot right click and do the normal things and my home page has gone berserk with pop-ups galore occurring.
    I have followed closely the steps you have outlined and downloaded and run all of the software as you have instructed but unfortunately no joy.
    I have also run Norton 2004 which found a number of irregularities and then fixed some of them but unfortunately most of the problems have come back.
    I am really running out of ideas here and was hoping you may be able to help.
    Cheers
    Hipster
     
    hipster, Nov 7, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Did you do complete scans with Norton in safe mode? If your sure you did everything, post a Hijack This log file.
     
    Major Attitude, Nov 7, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but make sure you follow the guideline in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.
     
    chaslang, Nov 7, 2004
    #3
  4. hipster

    hipster Private E-2

    Thanks very much for taking the time out to help me.
    It has taken awhile to post my log as my explorer page was rerouting me completely for a while..
     

    Attached Files:

    hipster, Nov 13, 2004
    #4
  5. hipster

    hipster Private E-2

    Is anybody able to help??
     
    hipster, Nov 30, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First a couple of comments, your system is what out of date. You need to get your OS and IE versions updated. You probably have many other items requiring updates to. See how o get to MS update in this thread: How to Protect yourself from malware!

    Second, it is not a good idea to locate HijackThis under a folder belonging to Adobe.
    C:\Program Files\Adobe\Hijack this pls\HijackThis.exe

    This would be better:
    C:\Program Files\Hijack this\HijackThis.exe

    Third: You never ran the Trend Micro online scan. Is there is reason why?


    Download KillBox
    http://download.broadbandmedic.com/Killbox.exe

    Print these instructions or save locally. You must not be connected to the internet during this.
    Close all open programs, windows and browsers and run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. On any dll file tick unregister dll before deleting, then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet.

    C:\WINDOWS\System32\TGBRFV_.exe
    C:\WINDOWS\System32\TGBRFV_5.dll
    C:\WINDOWS\System32\TGBRFV_.dll
    C:\WINDOWS\System32\TGBRFV_5.exe

    Then click Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder. Also, empty the contents of your Recycle bin and c:\windows\Prefetch folder.
    Some files can be hidden and only killbox or a similar delete on reboot mechanism works. Any attempt to delete manually results in a total reinfection. Always use Killbox to delete all 4 of the above named files at the same time. Many infections will only have one .exe and one .dll which might or might not have the _5 suffix.
    run hijackthis and fix (make sure no browswers are running):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_
    O9 - Extra button: TPG Home - {195A4CBC-3A35-4846-9ED0-D501A44FFE6F} - http://www.tpg.com.au (file missing) (HKCU)
    O13 - DefaultPrefix:
    O13 - WWW Prefix:

    Now reboot your PC. Come back here with a new HJT log and tell me how things are looking.

    Programs like Ares (O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\ares.exe" -h) quite often are the cause of problems like this.
     
    chaslang, Nov 30, 2004
    #6
  7. hipster

    hipster Private E-2

    Hey
    Thanks for getting back to me
    Firstly to address your comments
    1. I tried to download updates from the Windows Update page but I was getting an error message and could not work out how to get them. This task was also made especially harder by all the crap that has been happening to my computer.
    2. As for the Adobe thing I could not work out to save it as requested and just did it under Adobe as I thought it would not matter. I am sure I will be able to work this one out though.
    3. I did not run the Trend Micro online scan as when I was in safe mode I could not get online, I am not sure why this was.

    On a side note when I was using Kill Box the only option on the right side of the box I could use was the explorer one, the others where there but not able to be ticked. Perhaps as a consequence when I rebooted all the same old problems came back.

    I have recently dumped my ADSL connection as it was not worth having with a computer that did not work. I am now using another computer with a dial up connection.
    Unfortunately I am in the process of moving house and do not have the time to sort out my computer problems out at the present. When I am settled once again it would be great if I could post another Hijack this log and you could help me take another stab at fixing the problem.

    Thanks again for taking the time out to help
     
    hipster, Dec 6, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But per the tutorial.

    "If you have a problem for any reason trying to run these scans in safe mode, do them in normal boot mode but make sure you tell us that in any subsequent message you may need to post about your problem"


    I don't understand why you could not use the other options of Killbox. Perhaps the version is not right. Try this link http://www.bleepingcomputer.com/files/spyware/KillBox.zip
    This one is ZIP'ed. Extract the files and then run it. Try the stuff I gave you again.

    Okay! Drop us a message when you get back on line. But if it is any length of time from now. You will need to rerun the READ ME FIRST before posting a HijackThis log. Upgrading Windows via dialup will be extremely slow.
     
    chaslang, Dec 7, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds