Please help with malware

I just picked up an infection with several ad pop-ups appearing.
System specs- AMD Athlon
W2k SP4
768 mB ram

I am including 3 attached files

Thanks very much

 

Download
- Pocket Killbox
- About:Buster

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Run about:Buster twice.

REBOOT to Normal Mode.

Post the about:Buster log and a fresh HijackThis log.

 

Thanks for your quick reply.
I tried to follow all your suggestions and had a few problems:
1. I couldn't run "Pocket Killbox" quite the way you suggested

2. By "ExplorerXP" do you mean "Explorer" since I am running W2K.

3. Could not get a "about:Buster" log.

I am attaching fresh HJT log.

I will let you know if my problem is solved

Thx again

 

still getting some pop ups

 

often getting the "OuterInfo" pop-up as well as some others

 

There are a few items shown by your HijackThis log we need to remove; but before doing that, follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt when finished.

 

WinPFind log attached

 

Follow the directions for the following:
- Look2Me VX2 Removal
- Virtumonde aka Trojan Vundo Removal

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the logs from Look2Me Destoyer, Vundo Fix, and a fresh HijackThis log.

 

I tried to follow your directions and had a few issues:

1. I never could get "Look2Me-Destroyer.exe " to run, not even after a reboot. Hence I do not have a log for it.

2. "VundoFix.exe " never re-opened after a reboot either, but I was able to open it manually and get it to run.

3. When i was in SAFE MODE I never located any of the files I was instructed to delete. I know you mention "Some of these may have already been deleted by Pocket Killbox"

I have attached logs from Vundo Fix and HJT

Thanks very much

 

Scan with HijackThis and fix the following:

Just to make sure that the registry patch took. Post another WinPFind log and a fresh HijackThis log.

 

here you go...

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Reboot to Safe Mode.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot to Normal Mode.

How is your computer running?

 

I will do your suggestion right away.
However I forgot to mention something previously.
You instructed me to delete "C:\Documents and Settings\Mo Krav\Application Data\?dobe"

Did you mean to type "Adobe" rather than "?dobe"

 

OK- I have performed the step.
I will certainly let you know how everything is going.

After all these procedures and seeing the results of each of the fixes, is there any way to "summarize" what we actually did and is there any way to conclude specifically what happened and how I was "infected" in the first place?

Thanks

 

"?" is a wild card so the directory could actually be "?dobe" or any random character as the first letter than an exact match for the remaining letters. In your case it is most likely "Adobe". If that is the case do not delete the directory, just delete mmc.exe, if present.

Most of the tools I had you run are scanners, either file scanners, registry scanners, or a combination of both. A few are cleaning tools aimed at specific infections.

about:Buster was the very first cleaning tool I had you run, this tool is specifically for about:blank, CoolWebSearch, HSA browser Hijackers. The RO & R1 lines in your first HijackThis log is what indicated that tool needed to be run.

I had you run Look2Me Destroyer, as I believed you may of had a Look2Me/VX infection lingering, but that apparently wasn't the case.

VundoFix is spefically for Virtumode, also know as "WinFixer". That infection was shown in your WinPFind log.

The rest of what we did was to have HijackThis fix specific registry entries, shown by HijackThis. Then we used Pocket Killbox to delete the files, this is done at system reboot, before the infection has a chance to load. I also prepared specific registry patches to remove registry entries that are normally used to respawn the infection, these are shown by WinPFind.

There are numerous infection methods; email, ActiveX, Java controls. Downloading and installing one of many toolbars, downloading and installing Screen Savers and Wallpapers.

 

GREAT explanation, very educational.
Been running ad-free for 10 minutes.
A little too soon to celebrate perhaps, but fingers are crossed.

I greatly appreciate what an extremely valuable job you and your cohorts are doing.

Thank you VERY much!!

 

You're welcome.

One more thing to do.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

I am running W2K so I don't think "Disable And Enable System Restore" applies to me.
Am I correct in this?

I will carefully read "How to Protect yourself from malware!" and surf safely and proudly!

All the best.

 

Yes, you are correct Disable System Restore does not apply to W2K.

 

just wanted to let you know that computer is running fine.
no adware.

thanks again