Ran tests for about.blank and malware: what next?

Discussion in 'Malware Help (A Specialist Will Reply)' started by outridge, Mar 8, 2005.

  1. outridge

    outridge Private E-2

    Hello, I've run the tests listed in READ ME FIRST thread and have been unable to get this system cleaned, and wanted to touch base before getting overly creative.

    First, the system is Win98 -- I've used the steps successfully on a WinXP machine, previously, but this one isn't responding so far.

    Trend Micro -- refused to run due to an ActiveX issue. I tried again after successfully loading ActiveX and running the Symantec scan, but no joy.

    Symantec Scan -- found the following:
    adware.Iefeats
    adware.CWSIEFeats
    adware.BetterInternet

    infected files include:
    kajkrd.dat
    ierr32.exe
    d3mq32.exe
    ntyv32.exe
    NPRotect00093622
    NProtect00093621

    ntyv32.exe and ierr32.exe are in the startup file.
    None of these are noted when I run symantec locally (definitions and updates are all current).

    Upon running the IE browser, it does the following:
    *loads google.com (the default was originally yahoo
    *upon the entry of any url without a 'www' it loads a search string containing '.dll' -- i.e. res://brkcf.dll/url_error.html#yahoo.com
    *(it seems as though searching for 'spyware' or 'about.blank' or 'adware' causes it to freeze up, but that might be paranoia. Too much SE browsing crashes IE.)
    *home page defaults to about.blank
    *of course, random pop-up ads about adware and virus removal have been added for my entertainment, along with a couple of dozen porn sites added to my Favorites.



    Ran Stinger and Netsky.b@mm was deleted from an unopened email attachment.

    Ran Adaware SE/VX2, Spybot, all other listed removal tools. On reboot, problem persists.

    The browser is IE 5.5 -- should I upgrade to the latest version before continuing? Is it time to run HijackThis and, if so, should I follow the Chaslang thread or just come back and post the results?

    Thanks.
     
    outridge, Mar 8, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message.(Do NOT copy/paste the log into your post).

    Yes you will need to upgrade your system but let's see what we can fix first.
     
    chaslang, Mar 8, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also please do the following:

    Download: "StartDreck", from here:
    http://www.niksoft.at/_data/startdreck.zip

    Unzip to its own folder and start the program,
    Press 'Config'
    Press 'Unmark All'
    Check the following boxes only:
    Registry -> Run Keys
    System/drivers> Running processes
    Press 'Ok'
    Press 'Save' and select the location to save the log file
    (default is the same folder as the application)

    Please attach the log in this thread.
     
    chaslang, Mar 8, 2005
    #3
  4. outridge

    outridge Private E-2

    Thank you. The requested files are attached.
     

    Attached Files:

    outridge, Mar 8, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have about:Buster downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 23. The download only comes with version 19 which is out of date. You must update.

    You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

    Okay, unplug your internet connection and exit browsers now!!!!
    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\SYSTEM\NTON32.EXE

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\brkcf.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\brkcf.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\brkcf.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\brkcf.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\brkcf.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\brkcf.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\brkcf.dll/sp.html#12345
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {538B9FE6-4A93-9D99-7433-815C211C7184} - C:\WINDOWS\SYSTEM\APIDR.DLL
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [IPGA.EXE] C:\WINDOWS\IPGA.EXE
    O4 - HKLM\..\RunServices: [NTON32.EXE] C:\WINDOWS\SYSTEM\NTON32.EXE

    Then exit HJT after clicking FIX

    Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others - you may also see the same filenames but with .ini, .dat, .exe, or .dll extensions)
    C:\WINDOWS\SYSTEM\APIDR.DLL
    C:\WINDOWS\IPGA.EXE
    C:\WINDOWS\SYSTEM\NTON32.EXE
    C:\WINDOWS\winmain.exe or C:\WINDOWS\SYSTEM\winmain.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

    - Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

    - NOW PULL THE POWER PLUG TO YOUR PC! Yes, that is what I said. This is very important! I do not want you to power down the normal way.

    - After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

    - Empty your Recycle Bin. In fact as an additional measure do the following:
    Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin
    And Click OK.

    - Run about:Buster again and save the log to ab2.log (let it do second scan)!

    - Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

    - Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    - Plug your cable to the internet back in now.

    - Open and close a couple of IE sessions and then with IE closed get a new HJT log.

    - Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

    Let me know anything else that you notice or had problems with.
     
    chaslang, Mar 8, 2005
    #5
  6. outridge

    outridge Private E-2

    I updated to database 25 before the initial run.

    Done.

    None of these lines existed --I didn't open a browser on the infected machine.

    DONE

    Is it adequate to rename extensions for anything I'm unsure of, or is it safe to just delete any .ini .dat .log .dll or .exe with mixed alphabet names?

    Deleted APIDR.DLL
    \SYSTEM\NTON32.EXE will not delete -- states it is in use by Windows.
    Winmain.exe not found in \WINDOWS or \WINDOWS\SYSTEM

    renamed following files to extension .3x:
    \WINDOWS\SYSTEM
    NTSW32.EXE
    NTYV32.EXE
    apiqg32.EXE
    apiub.EXE

    \WINDOWS
    ipna.EXE
    ipgl.EXE

    All files were 0k except NTSW32.EXE and ipgl.EXE which were both 12k.

    Files created on the same dates in \SYSTEM -- most are 0k in size
    iecn.dll
    addny.dll
    fxbnr.log
    atlxb.exe
    nwrax.dat
    netjs.exe
    ybkrk.txt
    msjs.exe
    fjwrv.log
    ssmute.ini
    crgc.exe
    ipeb.exe
    atlou32.exe
    javagu.exe
    mysu32.exe
    ipte.exe
    netxe32.3xe
    netph.exe
    kajkr.dll
    chbtx.dat

    I can see a couple there that should probably be deleted, but will refrain from going back in and mucking about until I hear back.


    DONE

     

    Attached Files:

    • ab1.log
      File size:
      1.3 KB
      Views:
      1
    • ab2.log
      File size:
      403 bytes
      Views:
      1
    outridge, Mar 9, 2005
    #6
  7. outridge

    outridge Private E-2

    Added HJT log.
     

    Attached Files:

    outridge, Mar 9, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your problem is more than like going to come back (if if has not already) because of that NTON32.EXE file you were not able to delete. And now there is another process added to your log.

    Here are the problem processes and startup entries in your HJT log:

    C:\WINDOWS\SYSTEM\NTON32.EXE
    C:\WINDOWS\SYSTEM\APPNW32.EXE
    O4 - HKLM\..\Run: [APPNW32.EXE] C:\WINDOWS\SYSTEM\APPNW32.EXE
    O4 - HKLM\..\RunServices: [NTON32.EXE] C:\WINDOWS\SYSTEM\NTON32.EXE

    Let's see if we can fix it before it gets worse.

    Please boot to an MS-DOS prompt and then delete the two files from the c:\windows\system folder. The procedure is below. You should print this so you can follow while offline.

    Booting to MS-DOS mode

    You click Start and then Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

    When it boots you will be at the command prompt (full screen) enter the following commands each followed by the enter key and then when finished type win and hit enter which should bring you back to Windows where you can tell me what happened.

    cd c:\windows\system
    attrib -s -h -r APPNW32.EXE
    del APPNW32.EXE

    attrib -s -h -r NTON32.EXE
    del NTON32.EXE

    win

    Now, why don't you move all thoes questionable files you listed in your last message into a holding folder (just incase). So make a folder called junk in the c:\windows\system folder and move all those files into the junk subfolder.

    Let me know of any error messages you get while reboot or when you go to run IE or anything else. Post a new HJT log and if the problem is still there, DO NOT REBOOT or shutdown your PC until you hear from me.
     
    chaslang, Mar 9, 2005
    #8
  9. outridge

    outridge Private E-2

    Okay, I deleted the files, booted into Windows, and moved the 0k .dll files and a few others into junk folders.

    The system seems to be moving a bit slowly, but there are no new about.blank loads and I haven't hit any new aggravating popups...yet.

    There was one file in \WINDOWS called applv32.exe that said it was in use by windows. It is 12k in size.

    Also, ntys32.dll said access denied -- it is 101k

    ygerpm.dat keeps respawning, at 0k

    in \WINDOWS\SYSTEM these files aren't familiar to me so also got moved to junk:
    ntgb.exe
    sccim.dll - 65k

    HJT is attached. I don't see any more problems in the browser, but am getting a few popups while on majorgeeks.com -- am I right to assume those are your resident marketing ads?

    I obviously need to upgrade to the current version of IE on this machine. Once that is done, is there a thread on security settings?

    Thanks again for the assist. I'll post the HJT log in a moment.
     
    outridge, Mar 9, 2005
    #9
  10. outridge

    outridge Private E-2

    Ok, all screwed up again. I did NOT have any about.blank issues the last several times I opened the browser -- even after the cleanup in message #6.

    I came in here to post the last message and realized I ran HJT with IE open and it was showing NTON32.EXE and APPNW32.EXE and some IE menu dll files.

    I closed IE. Ran HJT. Opened IE to add the log. Now I am getting about.blank and Only The best popups. The latter is new and showed up when I loaded majorgeeks.com, but I see 'only the best' as an alt tag -- no text or images actually show up in the popup window.

    I'm going to put a barbed wire fence around this machine in case my dad is fibbing when he says he's not playing with it.

    Here is the log.
     

    Attached Files:

    outridge, Mar 9, 2005
    #10
  11. outridge

    outridge Private E-2

    One other thing, I did verify that the NTON32.EXE and APPNEW32.EXE were in fact gone after I had deleted them in DOS. Also, I noted one other new file with a .cb extension, but I don't have that file name in front of me right now.
     
    outridge, Mar 9, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Things more than likely respawned due to missing some of the files.

    That APPLV32.EXE file you saw probably caused this.

    Before we continue. I need to know that you have not rebooted since posting your HJT log.
    If you have rebooted, I need to see a new HJT log and then do not reboot.

    Also either way get a new StartDreck log and post it right now.

    At the present time the "visible" problem lines in your HJT log are:


    C:\WINDOWS\APPLV32.EXE
    C:\WINDOWS\SYSTEM\SYSGY.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {5FED7651-9344-A240-6171-67DD7DE0C463} - C:\WINDOWS\MFCZM.DLL
    O4 - HKLM\..\Run: [APPNW32.EXE] C:\WINDOWS\SYSTEM\APPNW32.EXE
    O4 - HKLM\..\Run: [SYSGY.EXE] C:\WINDOWS\SYSTEM\SYSGY.EXE
    O4 - HKLM\..\RunServices: [NTON32.EXE] C:\WINDOWS\SYSTEM\NTON32.EXE
    O4 - HKLM\..\RunServices: [APPLV32.EXE] C:\WINDOWS\APPLV32.EXE
     
    chaslang, Mar 9, 2005
    #12
  13. outridge

    outridge Private E-2

    Hi. There has not been a reboot since the last HJT log. Here is the StartDreck.
     

    Attached Files:

    outridge, Mar 10, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download ProcessExplorer from: ProcessExplorer for Win 9x/Me
    Extract it to a folder named: C:\SysInternals

    Print the below instructions or save locally because you need to unplug your cable to the internet and exit all browsers now and do not reconnect or run a browser again until told to.

    OK! Unplug and Exit browsers now before continuing.

    We are going to use it to kill processes. It does a better job than TaskManager or HJT's process manager. From now on use it to kill processes. Run the executable and use it to kill any of the below for processes if found:

    C:\WINDOWS\SYSTEM\APPNW32.EXE
    C:\WINDOWS\SYSTEM\SYSGY.EXE
    C:\WINDOWS\SYSTEM\NTON32.EXE
    C:\WINDOWS\APPLV32.EXE

    Run HijackThis and have it fix the below lines:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pilag.dll/sp.html#12345
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {5FED7651-9344-A240-6171-67DD7DE0C463} - C:\WINDOWS\MFCZM.DLL
    O4 - HKLM\..\Run: [APPNW32.EXE] C:\WINDOWS\SYSTEM\APPNW32.EXE
    O4 - HKLM\..\Run: [SYSGY.EXE] C:\WINDOWS\SYSTEM\SYSGY.EXE
    O4 - HKLM\..\RunServices: [NTON32.EXE] C:\WINDOWS\SYSTEM\NTON32.EXE
    O4 - HKLM\..\RunServices: [APPLV32.EXE] C:\WINDOWS\APPLV32.EXE

    Exit HJT and immediately boot to the MS-DOS command prompt.

    Booting to MS-DOS mode

    You click Start and then Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

    When it boots you will be at the command prompt (full screen) enter the following commands each followed by the enter key and then when finished type win and hit enter which should bring you back to Windows where you can tell me what happened.

    cd c:\windows\system
    attrib -s -h -r APPNW32.EXE
    del APPNW32.EXE

    attrib -s -h -r SYSGY.EXE
    del SYSGY.EXE

    attrib -s -h -r NTON32.EXE
    del NTON32.EXE

    cd c:\windows
    attrib -s -h -r APPLV32.EXE
    del APPLV32.EXE

    attrib -s -h -r MFCZM.DLL
    del MFCZM.DLL

    win

    Now you will be returned to the Windows OS. Do not run any browsers or reconnect you cable to the internet yet. Just run HJT and make sure all the bad stufd is gone. If not repeat the above for whatever came back (note names may have changed).

    Afterwards! Reconnect your cable and open and then close one browsers sesssion and then get a new HJT log. Now come back here and post the new log and let me know of any error messages you may have received while rebooting or when you tried to delete any of the above files.
     
    chaslang, Mar 10, 2005
    #14
  15. outridge

    outridge Private E-2

    Unplugged from Internet

    Used ProcessExplorer to kill:

    APPLV32.EXE and SYSGY.EXE --- APPNW32.EXE and NTON32.EXE did not exist.

    Ran HijackThis and have it fixed all of the lines you listed.

    Booted to DOS Mode

    APPNW32.EXE, NTON32.EXE and MFCZM.DLL were not found.
    Deleted SYSGY.EXE and APPLV32.EXE

    Went back to Windows. Ran HJT. Did not see listings for anything fixed earlier.

    Reconnected cable and then opened browser. It opened to About:blank. Closed the browser.

    I've attached the new HJT log.
     
    outridge, Mar 10, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    You forgot the HJT log.

    Those files should exist. Are you sure you are executing the attrib -s -h -r command properly? There are spaces between the -s , the -h , and the -r. Were there any error messages? Are you booting to an MS-DOS command prompt, where Windows is not running and your whole screen is just one big DOS window?
     
    chaslang, Mar 10, 2005
    #16
  17. outridge

    outridge Private E-2

    I tried to attach the log file last time. I guess that it didn't take for some reason.

    Yes, I do remember typing those commands in as indicated. I work with DOS often. But, I'm not infalible. I may have screwed something up. I was trying to do 5 other things at the same time I was doing this.
     

    Attached Files:

    outridge, Mar 11, 2005
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But more specifically my question was:
    And not just opening an MS-DOS window while running Windows?

    Were you able to go back and find those files now?

    Your last log was clean! Are you still clean? Any problems?

    Do you use the below applications?

    VIEWPOINT MANAGER
    RealDownload
     
    chaslang, Mar 11, 2005
    #18
  19. outridge

    outridge Private E-2

    Eureka! You have helped get rid of this monster! I don't know who you are or where you are, but I owe you some drinks!

    I had restarted in MS-DOS mode to do the attrib commands and file deletes.

    What happened was that MS Explorer still came out to About:blank and something spawned and tried to change the default page.

    That's where I stopped and ran the new log, which I thought I had attached and sent to you last night.

    After seeing your response today, I went in and checked for those 5 files again after restarting in MS-DOS mode, and none of them appeared. I still had the same problem in IE though. However, SpySweeper found another Malware that it was able to successfully remove.

    IE now appears to be functionally normally and all scans are coming back clean.

    So, I'm satisfied at this point that we've won the war.

    I can't thank you enough for all of your help.

    Have a great weekend!
     
    outridge, Mar 11, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Were am at appears to the top right side of each message I post.

    You should now perform the steps (or the equivalent) in the below link to help avoid future issues:
    How to Protect yourself from malware!
     
    chaslang, Mar 11, 2005
    #20
  21. outridge

    outridge Private E-2

    Never mind -- we were posting at the same time and I see you just answered my question.


    Thanks again.
     
    outridge, Mar 11, 2005
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See my below post! You must have missed it.
     
    chaslang, Mar 11, 2005
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds