TechSpot

I Know its only a matter of time

By RestlessBeauty
Mar 26, 2007
  1. Well a day ago I log on to my OS and I keep getting this instead of my msn that I always get:

    http://www.usuc.us/2/popup/2.php?ref=john_p

    its flashing and its telling me Im infected (not sure who is telling me so I dont want to click on anything) it tells me this

    VIRUS INFECTION
    You are infected by Spyware ! Your personal information can be stolen!


    Spyware related files may:
    Log your internet activity
    Get your bank account passwords, and send it through internet
    Get your email passwords
    Slow down your computer and intenet connection
    Delete any files and compromise your Operating System
    We advice you immediately to scan your system and terminate all the files and processes that are related to spyware to avoid your system being compromised.

    Spyware removal tools: (and it had a clickable button here)

    So I X out of it and I log on again I get the same http but its all porn pics now.

    So I do the running of my virus protector that I have from Verizon (my DSL company) find nothing and I run the spyware and find minimal. Take care of it and its all still there.

    I dont use panda any longer because last year it asked if I wanted to do something and I could no longer reboot, poof .. everything was gone. Thank Gawd that I had my external hd. Now.. I have used Adaware, even their new beta 7. Of course they want me to delete my Verizon.. which I cant do. I have also run SSI.

    I went to use XoftSpy ware and it found the IBIS Hunt toolbar as well as Error Safe and a few inbetween things that Im not sure are really severe. So I ran Hijack this.. keeping the Xoft program open, I renamed the Hijackthis as you required. I have kept my machine on ( DSL) for months now with no probs and all of a sudden I get this hijack browser and possible keylogger? So if someone could look at this HJT and let me know if I have bigger probs than Im aware of.. i havent clicked off my system restore to be off yet either. Just in case. And because you have a limit on this I will have to post the HJT below. TY RB
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I have removed your copy and pasted HJT log.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    dinna kno what this Combofix logs are or the results of the AVG Antirootkit scan can be found... went to post earlier and my machine is now freezing up but I guess it was all the energy it sucked up doing scans for hours on end.. here are a few of my files if you want to look.. if one isnt there is coz it wouldnt finish, complete, froze, etc.

    RB
    ok upped 2 files and only the last one is there... im about to throw this thing in front of the mail man.. maybe he can help.. grr
    rb

    Hope it Helps !!

    rb

    i dont even see it like the hjt one.. tell me what is wrong..

    it was from avg
    txt format
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I really need to see Combofix and AVG Antispyware logs, please post them in your next reply. I also need to know the results of the AVG Antirootkit scan.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    TRISNA~1
    SSI

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SysEnforce

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    SYSENF~1.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\PROGRA~1\TRISNA~1<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as Combofix and AVG Antispyware logs as per the instructions HERE. Don`t forget to let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    Trying to up the AVG report again

    avg scan finally upped.. not sure why it wouldnt before. . i changed it to a log file rather than a text file and it worked.. of course im not finished and it could disappear again.. and i will go the safe mode thing you ask.. just know that last year.. when I had spyware... iw ent to boot in safe mode and it never again let me on anything.. it simply stopped.. not into any page. . nothing..


    Is the SSI for Sytem Spy Interrogator??? That is all that is in my add/delete.

    I did see the trista in the HJT.. didnt do anything yet.. .


    RB
     
  6. jobeard

    jobeard TS Ambassador Posts: 9,327   +622

    you need to reconfig AVG Anti-Spyware - Scan Report as it is ignoring
    everything and there are problems with several entries:

    Jasc Software Inc/psp702crk.exe -> Backdoor.Theef.111
    Iscripts\Page Details\crazy-window.izs -> Not-A-Virus.BadJoke.JS.RJump
    AIM95/icbmft.ocm -> Worm.AimVen : Ignored.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    As jobeard quite rightly points out, your AVG Antispyware log says all results have been ignored. That`s because you haven`t follow the instructions properly for AVG Antispyware.

    I requested you post a fresh HJT log as well as a Combofix log and that you let me know the results of the AVG Antirootkit scan but you haven`t done any of that.

    If you can`t or won`t follow the instructions, there`s nothing I can do to help you.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    I am on chemo and yesterday was very hot outside and when I went to sit in here and begin.. i just fell on the floor.. soooooo after I picked myself up and showered I passed out in bed with only several waking moments.. got up today and did the following:

    Booted into the safe mode
    Turned on all the files and folders including hidden and system, as described by your going HERE to see how it was done.

    Went to add removed programs: There was no Trisna~1 or SSI

    Closed the control panel.

    Typed the services.msc in run boxthe file was already on diable. SysEnforce

    Finallllllly did the Rootkit... and it showed nothing... so there is nothing to give you

    After all this I opened up my browser and this was still there
    http://www.usuc.us/2/popup/2.php?ref=john_p

    so obviously my browser is hijacked... but by whom is the question...

    went to d/l the tool 1 and nothing happened... however I have a program on my desktop named System Spyware Interrogater..

    I again spent massive amounts of time with Trend Micro and it claims that I have lost my connection which isnt true.

    Im going to go and try the tools 2 3 4 see what happens...

    thanks for being here for me... just had to take my meds and im a bit shakey... so bear with me

    Closed out the services window. Opened my task manager and the SYSENF~!.EXE was not there, closed the task manager.

    Ran the HJT and removed the 023-Service: SysEnforce - unknown owner-C: etc Closed the HJT

    Opened up the C: Program files and there was a Trisnap folder and in that was a SSI folder which I deleted.

    rebooted back into regular mode and rehid protected files

    I did a fresh hjt file and will post it.. did a new AVG after redoing the settings and it showed nothing in there now and was like 3 min rather than the 2 hours it ran before..

    Ok here is where I run into probs and i know its me.. but where the heck do I find the COMBOFIX and AVG ANTIROOTKIT scans?

    doing the best I can..
    oh and why can I only post one scan in one post?

    RB

    I have posted all those that I had probs with before in a zip file.. with the final HJT... your 4 files.. the adaware.. everything you asked for I tried to do, with about 90% success...

    thanks Howard.. for hanging n there with me.. hope I did right

    RB
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Evrsoft First Page 2006

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    crazy-window.izs

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Evrsoft First Page 2006<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt. Please attach the Combofix log to your next reply.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    Ok will do that all in the next hour

    one question... "system restore" .. could that be constantly hiding something that pops up each time I reboot??

    http://my.systemsecure.org/

    besides the url I got originally.. the one above comes up...

    just a thought,

    RB
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    System restore could be hiding nasties, but unless you actually do a system restore, they won`t do any harm.

    Post the Combofix log as requested.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    Ok Combofix complete

    followed all your instructions and neither the Evrsoft first page or the crazy window.izs was on there I had deleted Evrsoft yesterday. I was going to take an online course in CSS and had to d/l an FTP and front page so I saw this place let you d/l for so long.. and it was Evrsoft..

    let me know what you find out..

    I wont reboot til I hear from you..

    You do know i have an external HD attached to this computer.. F: drive.. but it was scanned by all the scanners and everything was dumped...

    fingers crossed
    X
    RB
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I want to see a Combofix log. I`ve only asked you for it six times.

    Regards Howard :rolleyes:

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    I did attach it and will screen shoot it for you!

    I did attach it.. and its attached again.. I have made a screen shot of it if it doesnt show again..

    rb
     
  15. jobeard

    jobeard TS Ambassador Posts: 9,327   +622

  16. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    thank you

    rb
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your Combo fix log is clean, though it did delete one file.

    Are you still getting the popups?

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Messenger<This has nothing to do with any IM programmes

    Close the services window.

    Reboot your system and let us know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    Its still showing

    When I log in.. exactly as the beginning of this post..

    I did the services run and there are two

    Messenger is disabled

    they had also

    Messenger Sharing which was manual



    and Jo, the classes I was going to take were held by IWA/HWG their eclasses.
    They were the ones that said i needed an FTP and Front Page and could get a 60 place at Bizland.

    Anyway .. dont know what to do know.. or why its doing that.. and even if the warning is from msn or from the hack...

    TY

    RB
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    downloaded the zip file

    autorun to my desk top however was reading on this with the man who wrote about it and someone used it and did the hide microsoft entries and couldnt reboot again.. it might be he unticked things but it was an article attached to the page you sent me too where someone wrote about this on the IT magazine.. im not going to lose control of my machine to the point where I cant even read what you say unless i go to a library somewhere am I?

    and there are two programs.. do i do both?

    Autoruns
    Autorunsc

    ?

    Im not a brain surgeon.. but even I get scared at these bloody computers.. soz

    Rb
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s the Autoruns.exe you need to run.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    I did it..

    Here you go.. ummmm i didnt close it yet.. should I? and do I have to uncheck the hide microsoft entries?

    RB
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You can now close Autoruns.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    paltalk messenger
    webshots

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    paltalk.exe
    launcher.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    c:\program files\webshots<Delete the entire folder.
    c:\program files\paltalk messenger<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Let me know if your still having problems.

    Regards Howard :)

    This thread is for the use of RestlessBeauty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. jobeard

    jobeard TS Ambassador Posts: 9,327   +622

    well,
    2 - XP has FTP client that will connect to any FTPd server on the web
    3 - Front Page is a GUI layout too to avoid learning HTML, Javascript and CSS
    but it is not necessary at all
    4 - I can only guess '60 place at Bizland' this is some kind of ranking for
    searchability and if so, sorry -- humbug.

    Google and Open Directory take the URL of a homepage and send a webcrawler
    to investigate the site. When written correctly (ie the information content and the
    meta keyword are not overloaded, you can get results line item 2 or three on the
    first page of google results -- done it many times -- has nothing to do with
    CSS or Front page (thank God!)
     
  25. RestlessBeauty

    RestlessBeauty TS Rookie Topic Starter Posts: 18

    before I do that.. I have used paltalk for over 6 years and all my art and photography is on webshots... I would only have too upload them again as I have paid for both.... are you saying that they dropped something so viril on my computer that im getting that http when I log onto the internet? Is it moreso, that someone dumped something on me while i was at one of those places? I use pal for chats and i admin a music room on there.. Webshots hold about 7 or 8 of my digital folders or digital photog folders of mine..

    RB
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...