Help desperately needed with new(?) virus!!!

[Guest]

I need help cleaning out a virus I became infected with.

Multiple pop-ups and interruptions are the typical symptoms. Task Manager
gets deluged with a dozen or more operations, and closing them does not
arrest the virus.

At first I thought it was WINTOOLS, judging from “PC HELL†site, and
proceeded from there.

Disabled System Restore.
Boot is Safe Mode.
Ran REGEDIT; checked registry entries, but none match the suspected infected
lines.
Close REGEDIT.
Ran Hijack This.
Only found 1 BHO line; studied it, and decided to delete it (made a copy
first).
Other entries did not show up. (in other words .. no … HKLM …\WINTOOLS …
lines.
Rebooted in Normal Mode.
Still infected.

Turned back to “PC HELLâ€, tried to search for “targetsaver†references.
(weren’t any??).
Did an internet search, and found instructions.
Deleted TargetSaver from Control Panel Add/Remove Programs.
Booted in Safe Mode.
Opened REGEDIT.
Again, could not find suspicious line .. as in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentverson\Run Tsa.
(or Tsa2)

Closed REGEDIT.
Rebooted in Normal Mode.
Reset System Restore.
Still infected.


My system:

Windows XP Home
DSL modem
Presario Pentium desktop
1 Gig ram
Using Norton, Hijack This, Ewido, Ad-Aware [all updated!]


The virus launches pop-ups one on top of another; crams the task manager;
eventually rendering other programs unusable; and even places icons for some
pop-ups on the desktop. Many (not all) of the pop-ups advertise a
“TargetSaver†line on top.
Did a search for both “targetsaver†… and “target saver†in newsgroup
security, but nothing came back.

How do I clean this OUT????

Thanks for any help!!!

 

[Ted Zieglar]

Your choices are:

* keep trying with different scanners - you may be lucky enough to find
one that recognizes what you're infected with
* try searching for rootkits
* restore your system from a known good backup...but then, you wouldn't
be posting if you had a known good backup
* clean install

 

[Malke]

I need help cleaning out a virus I became infected with.

Multiple pop-ups and interruptions are the typical symptoms. Task Manager
gets deluged with a dozen or more operations, and closing them does not
arrest the virus.

At first I thought it was WINTOOLS, judging from “PC HELL†site, and
proceeded from there.

Disabled System Restore.
Boot is Safe Mode.
Ran REGEDIT; checked registry entries, but none match the suspected
infected lines.
Close REGEDIT.
Ran Hijack This.
Only found 1 BHO line; studied it, and decided to delete it (made a copy
first).
Other entries did not show up. (in other words .. no … HKLM …\WINTOOLS …
lines.
Rebooted in Normal Mode.
Still infected.

Turned back to “PC HELLâ€, tried to search for “targetsaver†references.
(weren’t any??).
Did an internet search, and found instructions.
Deleted TargetSaver from Control Panel Add/Remove Programs.
Booted in Safe Mode.
Opened REGEDIT.
Again, could not find suspicious line .. as in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentverson\Run Tsa.
(or Tsa2)

Closed REGEDIT.
Rebooted in Normal Mode.
Reset System Restore.
Still infected.


My system:

Windows XP Home
DSL modem
Presario Pentium desktop
1 Gig ram
Using Norton, Hijack This, Ewido, Ad-Aware [all updated!]


The virus launches pop-ups one on top of another; crams the task manager;
eventually rendering other programs unusable; and even places icons for
some pop-ups on the desktop. Many (not all) of the pop-ups advertise a
“TargetSaver†line on top.
Did a search for both “targetsaver†… and “target saver†in newsgroup
security, but nothing came back.

Run HijackThis again and post your log on one of these specialty forums (not
here, please):

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://forums.tomcoyote.org/

Malke

 

[Guest]

Thanks, Ted and Malke,

Finally, just wondering: does what I wrote suggest anything in particular?
[any particular virus, I mean]. I ask, because I thought it might've been
this targetsaver thing. No?

I am not able to identify the thing, can probably fix it if I could.

Yes, I thought of posting a Hijack readout ,,, will probably do that.

I can't bear to face another clean install ... did that a year ago ... ugh!

--
Thanks, Michael

I need help cleaning out a virus I became infected with.

Multiple pop-ups and interruptions are the typical symptoms. Task Manager
gets deluged with a dozen or more operations, and closing them does not
arrest the virus.

At first I thought it was WINTOOLS, judging from “PC HELL†site, and
proceeded from there.

Disabled System Restore.
Boot is Safe Mode.
Ran REGEDIT; checked registry entries, but none match the suspected
infected lines.
Close REGEDIT.
Ran Hijack This.
Only found 1 BHO line; studied it, and decided to delete it (made a copy
first).
Other entries did not show up. (in other words .. no … HKLM …\WINTOOLS …
lines.
Rebooted in Normal Mode.
Still infected.

Turned back to “PC HELLâ€, tried to search for “targetsaver†references.
(weren’t any??).
Did an internet search, and found instructions.
Deleted TargetSaver from Control Panel Add/Remove Programs.
Booted in Safe Mode.
Opened REGEDIT.
Again, could not find suspicious line .. as in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentverson\Run Tsa.
(or Tsa2)

Closed REGEDIT.
Rebooted in Normal Mode.
Reset System Restore.
Still infected.


My system:

Windows XP Home
DSL modem
Presario Pentium desktop
1 Gig ram
Using Norton, Hijack This, Ewido, Ad-Aware [all updated!]


The virus launches pop-ups one on top of another; crams the task manager;
eventually rendering other programs unusable; and even places icons for
some pop-ups on the desktop. Many (not all) of the pop-ups advertise a
“TargetSaver†line on top.
Did a search for both “targetsaver†… and “target saver†in newsgroup
security, but nothing came back.

Run HijackThis again and post your log on one of these specialty forums (not
here, please):

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://forums.tomcoyote.org/

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

 

[Ted Zieglar]

I'm not trying to be a smarta** here, but my efforts are focused on
avoiding viruses rather than learning about them, so I really don't know
how to tell one from another. And if I was to become infected...which
has not happened thus far...I would be more inclined to restore one of
my daily images rather than repairing the infection. That's probably a
silly attitude of mine, but malware is so malicious these days I don't
think I would be comfortable with a repair.