Doc needs help with some nasty's

[Overclocked Doc]

Well I ran into a real "stumper" this week! My wife volunteered me to repair one of her co-workers computer (hey I don't mind, I really love this stuff) but wouldn't you know it, this thing stumped me!

Here's the scenario: This computer is about 6 months old and has windows XP PRO, P4 2.8, and they keep their Norton up to date.
They didn't have a firewall or any spyware programs to speak of.

The owner started getting "popups" that got progressively worse. When the machine was booted up, within 60 seconds or so Internet Explorer would open and some exstremely graffic GAY PORN would be on the machine. It would close if you X'ed it, but would reopen again until it was X'ed one more time. After that it would stay closed but would start all over again after a reboot. After you got past that scenario then came all the popups (none obscene).....I even got one from someone trying to sell Antivirus while visiting Nortons web page!

I Installed Spybot, Ad aware, Regcleaner, and HJT. I ran everthing in safe mode, deleted all files I could find, cleared out the "start" registry,as well as any other registry entry pertaining to the unwanted crap! I uninstalled programs that appeared to have an uninstaller and so on!
After all that I would restart the computer and within 5 minutes it would all come back (when hooked to the internet). When I would look under processes the machine would appear to be at a normal idle of 0-1%.
My only apparent clue was the fact that one of the little activity icons would stay lite constantly (internet activity). I tried using the "System configuration utility" to help. This would solve the problem but only until I went back to a "normal" start up.

After spending several hours trying to resolve this and then realizing that there was less than a Gig of data on the Harddrive, I gave in and reformatted! I transfered all data on to another machine and lost nothing but a little pride!

I could really use some insight into what just happened here. One further thing that really puzzled me was "the things" ability to reload the computer (folders and all) with several different things all at once (such as 180 solutions,1 ST bar.slotch, DyFuca, Power scan, msbb, awoa, gheuai, tpzza, optimize...etc! All this in literally seconds! What I would spend a half hour or so to remove would come back almost instantly.

It's not nice when you really want to take a baseball bat to someone elses computer.........Probably wouldn't be easy to splain! LOL!

[eboyjones]

This is a point referred to several times in the forums when trying to remove spyware, viruses etc.it might help next time;



"if you are trying to rid your machine of a virus infection or spyware, System Restore can be your enemy. Virus scanners cannot clean infections from restore points, making reinfection possible. The same can happen if you do a system restore after running an anti-spyware utility, with objects reappearing after a scan-and-delete sweep."

So make sure to turn off system restore before trying to remove nasties.

[NooNoo]

HJT gives you the paths to the nasties - go find the files and delete them - empty recycle bin and turn off system restore.

Post your HJT log as well.

[Overclocked Doc]

Thanks for the replies but I did all that more. I even spent quite a bit of time editing through the registry. I found several things there that were obvious and several that were not. While I don't pretend to be to "Be all that knows all" I have spent considerable time over the past few years learning to deal with this stuff and have until now never had one that stumped me. I was just hoping that perhaps someone here has come across something similar and could shed a little light.

[InTheWayBoy]

Could be some spyware in your winsocks...download this and run it...you'll need to reboot. You'll probably want to reclean before you run this, and don't hook up to the net until after this is ran...you should still post your hijackthis log, even experts overlook things.

[Overclocked Doc]

Thanks for the reply! I will keep that tool for future use. Your points are are noted without disagreement especially the part about overlooking something.
thanks again! Doc.

[meatwad]

Did you run Kill2Me and VXDfinder?

[pugs]

The problem comes in where there are registry entries, BHOS's, and then dll's that back each other up when you try to delete them. All you really need to do is clean with HJT, reboot into safe mode and kill the files. I know it sounds easy and thats because it is. Although 90 percent of the malware out there can be gotten rid of with a combo of Spybot S&D and Adaware. The trick is setting the programs up correctly. Heres a link http://www.zerosrealm.com/index.php?page=scanning Really the only true PITA infections come from coolweb. Or for that matter the new ADS type infections, but thats not widely spread yet.