TechSpot

Please help with malware and pop-up disaster in CHI-town!

By jbviau
Oct 21, 2005
Topic Status:
Not open for further replies.
  1. Hi, everyone, I'm helping that one of you wonderful experts could shed some light on my situation. Earlier today my machine was infected with a bunch of junk, including pokapoka76.exe and CMsystem.exe. I managed to get rid of most of it, but when I surf the Web I still get tons of pop-ups, some of which install short-cuts on the desktop.

    I'm attaching a HijackThis log and also the log from my most recent Ewido scan. Any help at all walking me through how to permanently delete this stuff would be truly a blessing. Thanks so much, --Josh

    p.s. I've already disabled the automatic system restore and made all hidden files visible.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

  3. jbviau

    jbviau Newcomer, in training Topic Starter

    Thanks, Howard. I updated HijackThis and followed the instructions in the thread. Things have improved. For example, now when I surf there are fewer pop-ups, and the text on webpages isn't highlighted in strange places.

    However, I still get some pop-ups, and when I reboot I get an error: "This application has failed to start because rastmon.dll was not found. Reinstalling the application may fix this problem." I've just been closing the window rather than clicking OK in case it's a trap.

    Also, here's the latest HijackThis log. Any suggestions? I see one "file missing" entry, but I won't do anything until I hear back from someone who knows what they're doing ;) I really appreciate it. --Josh


    --------------

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Will you please edit you last post, and attach you HJT log as a text attachment.

    Thanks.

    Regards Howard :)
  5. jbviau

    jbviau Newcomer, in training Topic Starter

    There you go--I attached the .txt file. Thanks, --jv
  6. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    I will NOT Waste my time on someone who does not even take ELEMENTARY PROTECTION!
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

  8. jbviau

    jbviau Newcomer, in training Topic Starter

    OK, I downloaded, installed, and ran AVG and Sygate. Just to clarify, I'd been told by several people (who I guess were wrong) that I didn't need that type of protection because my router has a firewall. So I'm not *totally* clueless ;)

    Here's the latest HijackThis log (attached).

    I think what I have might be something to do with Elite Toolbar. The ET Remover found 2 things this morning (in normal mode), and it couldn't delete a file in the Temp folder because this file was "in use."

    Thanks in advance for any suggestions! If you guys are ever in Chicago, you know who to email for some free breakfast. --Josh
  9. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    A router firewall does not stop malicious outgoing traffic!

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /R/ unRegister the xxx.DLL in that line
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    /R/ O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsu5.dll
    /R/ O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasbhkn.dll
    /P/ O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKCU\..\Run: [ResChanger2004] NONE
    /P/ O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
    ...................................................................................................
  10. jbviau

    jbviau Newcomer, in training Topic Starter

    Hello, fellow Guiness lover. OK, I did everything. Here's the latest HijackThis log. You can see that there's still that pesky line:

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)

    I deleted the directory before, as instructed, but it keeps coming back. Should I be worried?

    By the way, I no longer get that warning when I reboot, so things are definitely almost back to normal. Thanks, --Josh

    p.s. Also, suspicious-looking files keep reappearing in C:\Documents and Settings\Owner\Local Settings\Temp
  11. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    I don't see anything wrong other than this:
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)

    I suggest you temporarily stop using that program BIGFIX and see how it goes.
    It's a huge drain on your resources, and may well have hooked up with something malicious!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.