Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horses And Pop-ups


  • Please log in to reply
5 replies to this topic

#1 bejitto101

bejitto101

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 12 September 2007 - 03:11 PM

As the title says thats what I'm getting and I can't get rid of them. The trojans I get every 10 minutes or so, AVG popping up saying they detected it and if I want to 'heal' it. As for the pop-ups, almost every time I open a new window in Firefox I get a couple. Stuff for like SystemDoctor and Viagra. I've run a scan with AVG and Spybots and Ad-aware. They detect stuff, I delete, but they come back. I've tried restarting in safe mode, but every time I do that my computer crashes. I get past "Loading your personal settings" then I get an alert about "You are running in safe mode.." or something similar I think, which quickly disappears and then I'm left with a black screen. Any help would be greatly appreciated, thanks!

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 12 September 2007 - 03:42 PM

Hello there and welcome to BleepingComputer.
First off, try following this self-help guide. If this does not solve the problem, please follow our Preparation Guide For Use Before Posting a HijackThis Log; running all of the scans before posting your HijackThis log. Do not post your log here, but instead use our HijackThis Logs and Analysis Forum.
After posting a log you should NOT make further changes to your computer except those that are advised by a member of the HijackThis Team; doing so can cause system changes that may not be visible in your log. Please be patient whilst waiting for a response, our HJT Team is currently very busy, and as we try to deal with logs on a "first come first served" basis, you may have to wait a short while.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 bejitto101

bejitto101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 12 September 2007 - 03:48 PM

Well, I've looked through the self help guide, however I can't restart my comp in safe mode which kinda kills that idea. Advice?

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 12 September 2007 - 04:24 PM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1, and press Enter.
A text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 bejitto101

bejitto101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 12 September 2007 - 04:30 PM

SmitFraudFix v2.222

Scan done at 14:28:51.48, Wed 09/12/2007
Run from C:\Documents and Settings\Joyce Ng\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\system32\djgcwejf.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM5LAK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM5SWK.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Joyce Ng


C:\Documents and Settings\Joyce Ng\Application Data


Start Menu


C:\DOCUME~1\JOYCEN~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.zoo.org/bearcam/cam.html"
"SubscribedURL"="http://www.zoo.org/bearcam/cam.html"
"FriendlyName"="Bear Cam"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/1000 MT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EEB064DE-3D9E-433C-B522-8A512551B57D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EEB064DE-3D9E-433C-B522-8A512551B57D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EEB064DE-3D9E-433C-B522-8A512551B57D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 September 2007 - 11:37 AM

Based on the malware I see present there, I think it would be best to post a HijackThis log for one of our experts to analyse. I provided the link to the "Preparation Guide" in my first post ...

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users