Please help with malware and pop-up disaster in CHI-town!

[jbviau]

Hi, everyone, I'm helping that one of you wonderful experts could shed some light on my situation. Earlier today my machine was infected with a bunch of junk, including pokapoka76.exe and CMsystem.exe. I managed to get rid of most of it, but when I surf the Web I still get tons of pop-ups, some of which install short-cuts on the desktop.

I'm attaching a HijackThis log and also the log from my most recent Ewido scan. Any help at all walking me through how to permanently delete this stuff would be truly a blessing. Thanks so much, --Josh

p.s. I've already disabled the automatic system restore and made all hidden files visible.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your version of Hijackthis is out of date.

Go and read this thread by RBS, and follow all the instructions exactly.

How to remove Begin2search / coolwebsearch and other nasties.

Then post a fresh, and uptodate HJT log

Regards Howard :wave: :wave:

 

[jbviau]

Thanks, Howard. I updated HijackThis and followed the instructions in the thread. Things have improved. For example, now when I surf there are fewer pop-ups, and the text on webpages isn't highlighted in strange places.

However, I still get some pop-ups, and when I reboot I get an error: "This application has failed to start because rastmon.dll was not found. Reinstalling the application may fix this problem." I've just been closing the window rather than clicking OK in case it's a trap.

Also, here's the latest HijackThis log. Any suggestions? I see one "file missing" entry, but I won't do anything until I hear back from someone who knows what they're doing I really appreciate it. --Josh


--------------

Hello and welcome to Techspot.

Your version of Hijackthis is out of date.

Go and read this thread by RBS, and follow all the instructions exactly.

How to remove Begin2search / coolwebsearch and other nasties.

Then post a fresh, and uptodate HJT log

Regards Howard :wave: :wave:

 

[howard_hopkinso]

Will you please edit you last post, and attach you HJT log as a text attachment.

Thanks.

Regards Howard

 

[jbviau]

There you go--I attached the .txt file. Thanks, --jv

 

[RealBlackStuff]

I will NOT Waste my time on someone who does not even take ELEMENTARY PROTECTION!

 

[howard_hopkinso]

RBS is of course refering to the fact that you don`t have any antivirus, or firewall programme on your computer.

Download and install the following two programmes.

AVG free antivirus from http://free.grisoft.com/doc/1

Sygate firewall from http://smb.sygate.com/products/spf_standard.htm

Then post a fresh HJT log.

Regards Howard

 

[jbviau]

OK, I downloaded, installed, and ran AVG and Sygate. Just to clarify, I'd been told by several people (who I guess were wrong) that I didn't need that type of protection because my router has a firewall. So I'm not *totally* clueless

Here's the latest HijackThis log (attached).

I think what I have might be something to do with Elite Toolbar. The ET Remover found 2 things this morning (in normal mode), and it couldn't delete a file in the Temp folder because this file was "in use."

Thanks in advance for any suggestions! If you guys are ever in Chicago, you know who to email for some free breakfast. --Josh

 

[RealBlackStuff]

A router firewall does not stop malicious outgoing traffic!

First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/R/ unRegister the xxx.DLL in that line
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
/R/ O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsu5.dll
/R/ O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasbhkn.dll
/P/ O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKCU\..\Run: [ResChanger2004] NONE
/P/ O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
...................................................................................................

 

[jbviau]

Hello, fellow Guiness lover. OK, I did everything. Here's the latest HijackThis log. You can see that there's still that pesky line:

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)

I deleted the directory before, as instructed, but it keeps coming back. Should I be worried?

By the way, I no longer get that warning when I reboot, so things are definitely almost back to normal. Thanks, --Josh

p.s. Also, suspicious-looking files keep reappearing in C:\Documents and Settings\Owner\Local Settings\Temp

 

[RealBlackStuff]

I don't see anything wrong other than this:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)

I suggest you temporarily stop using that program BIGFIX and see how it goes.
It's a huge drain on your resources, and may well have hooked up with something malicious!