"terr1.htm" and "terr1.CAB" popups

i can't stop these popups. been going on for a couple weeks and they seem
harmless but they are irritating. i think they might be leftover from a virus i removed in safe mode. does anyone recognize "terr1.htm" or "terr1.CAB"? could use some help.

 

originaly, i had popups that were sending me to a site called "get-access.host.sk/hvplace/". eventually i would end up w/ porn popups. i found an odd process on the task manager called "mainrescontr". i googled it and found someone w/ a similar problem. i followed the instructions given and the majority of the popups stopped, but i am still getting these "terr1" popups.
i was unable to run windows defender (did not recognize my version of windows?). here are my five reports (in two posts).

 

this should be it. i followed the instructions, but no luck so far.

 

Are you aware that you are running PC Anywhere, this is software that allows people to remotlely access your computer and might be a security risk if you didn't know about it.

Using add/remove programs which can be accessed from the control panel, uninstall the following:

Do you have any idea what the following process is:

I need some more information about it.

Also do you know what this is

The executable indicates that it is Back Orofice (a hack tool for windows 95 98) but I find that unlikely.

If you don't know what either of these are then just let me know so we can continue.

 

i deleted viewpoint. don't know what extrat.exe is. maitre'd pos server is a program i use on a separate computer to calculate sales and labor for my restaurant. i used to run it through this computer, but rarely.

 

OK I need some more information on this file before I decide whether to have you remove it or not.

DOwnload the zip file attached to this post.

Extract the 2 files to a folder somewhere convienient

Run GetFileDetails.bat (NOT THE EXE)

Upload the log created in the root of c: (C:\getdetails.txt)

 

here you go.

 

whoops. HERE it is.

 

Odd.. It should have give more info than this.

Navigate to the file and right click on it and select properties.

Click on the Version tab

Tell me what it says for each of the entries in the Other Version Information box.

 

when i right click on "getdetails.txt" i do not get a version tab. the only tabs are "general" and "summary".

 

Sorry. I wasn't clear, you need to right click on C:\WINDOWS\extrat.exe and tell me the information about this file. I am not sure what it is and as you don't recognize it we need to be sure of what it is.

 

i right clicked on c:\windows\extrat.exe and there are three tabs: "general", "compatibility", and "summary". nothing is checked under compatibility or summary. here's most of what's under "general":
Type of File: Application
Description: extrat
Size: 112 KB
Created/Modified: 10/04/06
Accessed: Today

it looks like this file was created the day the virus appeared. Hope this is it.

 

Download

- Pocket KillBox

Extract to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)




Run HijackThis. Click the 'Do a system scan only' button.


Once the scan has completed click Config

Click Misc Tools

Click Open Process Manager

Terminate the following processes by selecting them from the list and clicking Kill Process

Click back to return to the scan results.

Place a checkmark in the box next to the following lines:

Now boot into SAFE MODE

Navigate to and RENAME C:\WINDOWS\extrat.exe to extrat.exe.ren

Open Windows Explorer navigate to and DELETE the following:

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.


REBOOT to Normal Mode.

Let me know how things are running now

Post a fresh HijackThis log, a fresh newfiles log and a fresh activescan log.

 

pop ups have stopped. could not find c:\documents and settings\all users\start menu\Online Security Center.url. Also, i found "extrat" but not "extrat.exe". i changed it to "extrat.exe.ren" anyway.

 

Thats beause you have extensions hidden for known file types. It hides the exe part since it knows its an executable.

c:\documents and settings\all users\start menu\Online Security Center.url is still there. Do you have viewing of hidden files and folders enabled as per the read and run me. ?

I guess since the popups have stopped extrat was the bad file. can you submit it at http://virustotal.com and tell me what the results are please.

 

i am (and have been) able to view hidden files. i must have missed c:\documents and settings\all users\start menu\Online Security Center.url because i just found it in a search (although i'm not in safe mode). should i go back and follow the instructions you gave me on removing it? here are the results from virustotal:
STATUS: FINISHEDComplete scanning result of "extrat.exe.ren.exe", received in VirusTotal at 10.26.2006, 22:44:08 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.32 10.26.2006 no virus found
Authentium 4.93.8 10.26.2006 no virus found
Avast 4.7.892.0 10.26.2006 no virus found
AVG 386 10.26.2006 no virus found
BitDefender 7.2 10.26.2006 no virus found
CAT-QuickHeal 8.00 10.26.2006 no virus found
ClamAV devel-20060426 10.26.2006 no virus found
DrWeb 4.33 10.26.2006 Trojan.DownLoader.12220
eTrust-InoculateIT 23.73.37 10.26.2006 no virus found
eTrust-Vet 30.3.3158 10.26.2006 no virus found
Ewido 4.0 10.26.2006 no virus found
Fortinet 2.82.0.0 10.26.2006 no virus found
F-Prot 3.16f 10.26.2006 no virus found
F-Prot4 4.2.1.29 10.26.2006 no virus found
Ikarus 0.2.65.0 10.26.2006 no virus found
Kaspersky 4.0.2.24 10.26.2006 no virus found
McAfee 4882 10.26.2006 no virus found
Microsoft 1.1609 10.25.2006 no virus found
NOD32v2 1.1837 10.26.2006 no virus found
Norman 5.80.02 10.26.2006 no virus found
Panda 9.0.0.4 10.26.2006 no virus found
Sophos 4.10.0 10.26.2006 no virus found
TheHacker 6.0.1.106 10.26.2006 no virus found
UNA 1.83 10.26.2006 no virus found
VBA32 3.11.1 10.26.2006 Trojan.DownLoader.12220
VirusBuster 4.3.15:9 10.26.2006 no virus found


Aditional Information
File size: 114688 bytes
MD5: f6d0a3650ba9a280bc4f244f73588ac6
SHA1: b2fdd2dfcec0a8c4058d7e94daed9a7d8b10cc00

 

Just delete the c:\documents and settings\all users\start menu\Online Security Center.url file

Looks like it probably was the bad file as you have no more popups. Is everything running smoothly now?

 

all is well. thanks for your patience and help.

 

No Problem.

Have a read of this thread:

How to Protect yourself from malware!