Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32-PUP-gen, Hijack Homepage, rstrui.exe gone beserk


  • Please log in to reply
No replies to this topic

#1 BLewellyn

BLewellyn

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upper Great Lakes Region AKA the Frozen North
  • Local time:05:01 PM

Posted 16 March 2011 - 08:32 PM

Hello,

Thanks in advance for any help you can give me. I appreciate your efforts on my behalf. This is long, sorry. A lot has happened.

Some background: The PC in question was previously owned by my daughter who is not technically savvy at all and doesn't want to be. It's a Dell Dimension 3000 bought in 2004. She bought the PC when her husband was deployed to Iraq and basically used it for a year and a half to email and skype him, send him
pictures of their son, and some very occasional random surfing. Plus the boy played games on it from Disney, The Wiggles, and Sesame Street etc. The ISP was her local cable company and she used their anti-virus--I think it was McCafferty but I'm not certain--something starting with an M and a well known
AV. The only firewall she had was the internal Windows one.

She got some trojans but other than letting her AV delete them she didn't pursue it any further. Then she got a slew of trojans and at some point the AV had either been compromised or gotten turned off as was the firewall. At that point she turned the machine off and it sat there gathering dust for five years until she gave it to me.

Sooo when I got it, the first thing I did was do my own upgrade of the RAM from 256 Mb to 2 Gb. That seemed to go well. Then I downloaded Microsoft's anti-spyware and the Comodo firewall from a clean PC, installed it and began working on getting rid of the mess that was there with the help of another well known malware removal forum that shall remain unamed publically at this point because I don't think it is the fault of the site itself for what
transpired but probably just that particular volunteer. I'm a little peeved because I HAD a working PC but now I have a big paperweight. But Crap happens,you know?

I started out with 7 known trojans and we cleaned out about 11or 12 serious infections --mostly trojans and over 800 malware/adware/unwanted cookies. I can go into more detail about that if you'd like. He said it was clear but it was
still acting wonky. I had to take ownership of the qoobox file to maually delete it to completely uninstall combofix. The same thing for Adobe AIR and DLM. Ditto MyWaySearchAssistant. I was getting "virtual memory too low" alerts 2 or three times a day plus the PC was also getting progressively slower and slower and freezing at times. My passwords from the system & Bios password to all the user passwords got changed. I had to remove the jumper from the motherboard to even boot up. Luckily I hadn't gone into safe mode and changed THAT password or I'd have really been stuck. I found three additional System Administrator folders with three different names in documents and settings.


So I went back to the same forum. He had me download another tool but then he never followed up. He just quit responding to my posts--I made more posts, alerting him to other problems I was having--task manager was showing my CPU usage at 100% at times but I the numbers on the processes tab didn't reflect that... Somewhere along the line, I ran into Black Viper's services tweaks and applied the ones for safe mode. They'd take for a day or two but I'd go back and some of them would be re-enabled. It's been more than 3 weeks now so I came here (and Microsoft) and started reading about memory issues, downloaded perfmon and autoruns and tried to understand what I was seeing. :unsure:

I did find a problem with how virtual memory was being allocated and let Midrosoft fix-it change it to the correct settings. I was making my way slowly through the autoruns list and your startup programs list over the course of a few days, disabling stuff as I went along and then putting the PC through its paces before I went on to the next progam. I'd disable my autorun printer files
and the next time I logged on to the system and autorun they would be enabled again. Then the autorun and perfmon icons disappeared from my desktop. I also got several alerts from what purported to be WinPatrol that About:Home was trying to change my start page. I don't think it WAS WinPatrol though because there was no barking
dog and it wasn't the usual pop-up screen. I would.not.go.away like a good doggie when I told it no either. :rolleyes:

Just before that happened I had noticed in autoruns that there was a user called NT Authority/(I think system) that had some autoruns in the registry
files for something called terminal server and something to do with remoteaccess.. No other user has these files listed. I was in the process of googling those to find out what they are and what they do when I got distracted by this
other stuff, so I still don't know what they are or why they are there. And who is NT Authority?

I was pretty sure none of that was an accident so I ran a malwarebytes scan and started googling about that stuff. While I was doing that Avast alerted me that I had a Win32-PUP-gen trojan in file +2MLjhPU.exe.part, file ID 4. I dunno if that was a false positive because I forgot to shut Avast down or not. Malwarebytes found two instances of Hijack Homepage. At that point I decided
I needed to start a thread here and get some help.

I was going through the preparation steps prior to making my first post and ran into problems right away. First of all, I wasn't getting a confirmation email when I tried to register. I was checking the spam file after asking it to be
sent the third time and actually saw it disappear from the screen. Then I don't think defogger ran--after half an hour I still hadn't got the
prompt to reboot. I went to the next step and tried to download DDS. My PC froze although I could hear it doing something and it sounded like it was straining to do it. I managed to get the task manager open and saw that rstrui.exe was
using a lot of memory and a huge percentage of CPU usage--85-100%. I tried to kill that program and got a "permission to access file denied" alert. So I tried to shut down the whole PC. After a few minutes, I pulled the plug and cut off the electricity to the machine.

It took 13 minutes to fully reboot and when I tried to open the task manager it froze again. My Online Armor had also been stopped or at least it wasn't in the tool bar. I rebooted again and tried to open start to turn OA back on. Froze again. Rebooted again and tried to open perfmon and it froze again. sigh... At that point I took the dog for a walk before I threw the damn thing
out my 9th floor window :angry: --the PC, not the dog. <grin>

On my walk I decided to try a safe mode restore. That worked, sort of. The programs I had downloaded prior to that restore point were no longer on my desktop. But the minute I tried to do anything but look at my desktop, it froze again. I rinsed and repeated that process several times. I can, or at least could, still get into safe mode but can't get anything on the desk top to respond.

I have a brand new 8 gig USB flash drive to work with and lots of blank CDs with access to a clean
PC on Fridays. What should I do first? There is nothing on this PC that I really want to save since all my daughter's pictures and stuff have been
transferred to Flickr or CD. Do you think I should just wipe the hard drive clean and start over? I have all the Windows and Drivers CDs that came with the machine. I want to do a dual boot with Ubuntu too. I also plan to install another hard drive I salvaged from another Dimension that died. Didn't want to get into that until I was sure all the problems with this hard drive were fixed.

Again, I apologize for the lenth of this post. Thanks for your consideration and help with this PC. I apologize for any wonky line breaks I missed too. :blush: Ick!

Barbara

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users