Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow-running Internet And Graphic Images On Ie Homepage


  • Please log in to reply
17 replies to this topic

#1 suttles95

suttles95

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 10 October 2007 - 10:20 PM

This morning when my wife opened our Bellsouth homepage, she saw pornographic ads on the right-hand side of the page. She immediately called Bellsouth Fast Access internet tech support, and they told her that they think that we're infected with spyware/malware.

She ran AdAware and deleted some items, and it got rid of the graphic images, but IE still takes several minutes to initially open the program. And you might as well forget about opening another tab.

I ran Spybot tonight and found 2 problems:

1. Company:
Product: DeepDive
Threat: Malware


Description
Installs an browser helper object (BHO) into the Internet Explorer without giving the user a possibility to cancel that process. Also load CoolWWWSearch.OleHelp

2. Company:
Product: TagASaurus
Threat: Trojan


Description
TagASaurus installs itself into the windows directory and tries to connect to the internet. When it is connected it produces several annoying pop ups when the user is browsing the web.

I'm attaching the log with this post. I don't want to fix the problems until I get professional advice.

I ran AdAware again and found 7 tracking cookies.

Finally, I ran Panda Active Scan and found 62 items.

I'd like to attach the logs with this post, but I can't figure-out how to do so. I'll be glad to cut and paste the logs into a separate post if needed.

Can some expert let me know what I'm infected with and how I can get ride of it? And more importantly, how can I prevent this from happening again?

I can also attach a HijackThis log if it's needed.

--Brian

Edited by suttles95, 10 October 2007 - 10:25 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 11 October 2007 - 05:36 AM

What OS (Win XP/2000, etc) are you using? What type of anti-virus are you using? Have you tried doing your scans in "SAFE MODE"? Are you doing scans while logged into the Administrator's account or an account with administrator privileges? You can also Use the "Run As" Command to Start a Program as an Administrator.

You need to start there first. If rescan in safe modes does not help, then do this:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
Then perform at least one of these online Virus scans:
(The following require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
BitDefender Online Scanner <- Add a check by "Autoclean".
ESET Nod32 Online Scanner (Vista compatible)
F-Secure Online Scanner <- Be sure to follow the directions on the F-Secure page for proper Installation. (also checks for rootkits).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 suttles95

suttles95
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 11 October 2007 - 09:31 AM

Thanks for the reply...

I'm at work now and will follow your instructions when I get home tonight...

Is there a way that I can send you the logs of the AdAware, Spybot, and Panda Active Scan reports? I'm especially concerned with the Deep Drive BHO that's located in my registry.

--Brian

#4 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:03:57 AM

Posted 11 October 2007 - 09:38 AM

I suggest you follow Quietman7's steps first, and have these applications quarantine all that they find (you may delete these after a few days). What our Members would like to see is any error messages (generally items they find that for some reason cannot be handled) you get when using these applications.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#5 suttles95

suttles95
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 11 October 2007 - 11:51 PM

Okay...

I downloaded both ATF Cleaner and SUPERAnitSpyware, rebooted the computer, and ran both of the programs in Safe Mode.

It took SUPERAnitSpyware almost 2 hours to run, and it finished by saying that my computer was clean.

I rebooted again in regular mode. When I opened-up IE7, I had the same slowness problem. I ran 2 of the online scans, BitDefender and ESET Nod32. After 1 1/2 hours, ESET reported only 1 threat, but was only halfway done. Here's the description of what it found and deleted:

probably a variant of Win32\KillFiles trojan (unable to clean--deleted)
C:\Documents and Settings\Owner\Local Settings\Temp\207354\tmp149448859.tmp

BitDefender took the same amount of time to run but detected 10 items and said I have a trojan that it couldn't delete. I'm posting the log below.

But my internet is still bogging-down extremely badly even after BitDefender ran its scan

Please let me know what to do next...

--Brian

------------------------------------------------------------------------------------------

BitDefender Online Scanner
Scan report generated at: Thu, Oct 11, 2007 - 23:31:06
Scan path: C:\;D:\;E:\;
Statistics
Time 02:16:25
Files 290508
Folders 7419
Boot Sectors 3
Archives 10456
Packed Files 16834

Results
Identified Viruses 1
Infected Files 3
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 5

Engines Info
Virus Definitions 826352
Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins 14
Archive plugins 38
Unpack plugins 7
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File Status
C:\Program Files\Dora`s World Adventure\bfgt_silent_en.exe=>(CAB Sfx r)=>nickarcade.dll Infected with: Trojan.Delf.EZ
C:\Program Files\Dora`s World Adventure\bfgt_silent_en.exe=>(CAB Sfx r)=>nickarcade.dll Disinfection failed
C:\Program Files\Dora`s World Adventure\bfgt_silent_en.exe=>(CAB Sfx r)=>nickarcade.dll Deleted
C:\Program Files\Dora`s World Adventure\bfgt_silent_en.exe=>(CAB Sfx r) Update failed
C:\Program Files\Norton AntiVirus\Quarantine\79BB494A.dll=>(Quarantine-2) Infected with: Trojan.Delf.EZ
C:\Program Files\Norton AntiVirus\Quarantine\79BB494A.dll=>(Quarantine-2) Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\79BB494A.dll=>(Quarantine-2) Deleted
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP561\A0031129.dll=>(Quarantine-2) Infected with: Trojan.Delf.EZ
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP561\A0031129.dll=>(Quarantine-2) Disinfection failed
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP561\A0031129.dll=>(Quarantine-2) Deleted

Edited by suttles95, 12 October 2007 - 07:21 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 12 October 2007 - 08:52 AM

What Trojan does BitDefender say you have that it cannot remove? According to your log, BitDefender:
1. detected and deleted nickarcade.dll in Program Files\Dora`s when disenfection failed.
2. detected and deleted 79BB494A.dll in NAV\Quarantine when disenfection failed.
3. detected and deleted 79BB494A.dll in SVI when disenfection failed.

All were related to Trojan.Delf.EZ.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 suttles95

suttles95
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 12 October 2007 - 08:54 AM

I don't know...I posted the complete log in the last post...

But something is obviously still there because it still takes 5-10 minutes to initially open a webpage...

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 12 October 2007 - 09:10 AM

Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".

If your not find any malware after that, see Its not always malware: How to fix the top 10 Internet Explorer issues.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 suttles95

suttles95
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 12 October 2007 - 10:42 AM

My wife downloaded Dr.Web CureIt and rebooted the computer in safe mode...

But when she opened the program and tried to run it, she got the following message:

C:\Documents and Settings\Owner\Desktop\Cureit.exe
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it

--Brian

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 12 October 2007 - 11:17 AM

Cureit is a stand-alone program and does not use a servce.

Delete what you have and redownload from here:
http://download.drweb.com/drweb+cureit/

Then try again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 suttles95

suttles95
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 12 October 2007 - 02:29 PM

When my wife ran the program, it detected a Trojan. She clicked to delete it, a screen with the following message appeared:

"A problem has been detected, and Windows has been shut-down to prevent damage to your computer.

IRQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as CHCHING or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select "Advanced Startup Options," and then select Safe Mode.

Technical information:

***STOP: 0X0000000A (0X00000023, 0X00000002, 0X00000000, 0X804S216B)

Beginning dump of physical memory. Physical memory dump complete.

Contact your system administrator or technical support for further assistance.

--------------

My wife has shut-down the computer. Please advise me what we should do next.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 12 October 2007 - 02:40 PM

The Stop 0xA message indicates that a kernel-mode process or driver attempted to access a memory location to which it did not have permission, or at a kernel interrupt request level (IRQL) that was too high. A kernel-mode process can access only other processes that have an IRQL lower than, or equal to, its own. This Stop message is typically due to faulty or incompatible hardware or software.

http://www.updatexp.com/stop-messages.html

However, some rootkits have been found to be accompanied by BSOD's and various stop error/shutdown messages.

Try running the Dr.Web scan in normal mode.

When done or if it does not complete, please download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
  • Accept the license and follow the prompts to install.
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with four buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, a small window will open so you can view the results.
  • Right click and select "Save Result To File".
  • By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file)
  • Copy and paste the results in your next reply.
  • If anything was found, click "Remove selected items"
  • If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 suttles95

suttles95
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 12 October 2007 - 10:11 PM

Okay...

Things are looking much better...

I ran Dr.Web in normal mode, and it pointed-out 2 pieces of adware and deleted 14 (yes, 14) infections of the Trojan.Fakealert.351 trojan.

I then ran the rootkit and in-depth searches using AVG Anti-Rootkit, and nothing was found...

IE7 is running MUCH faster (at normal DSL Lite speed)...

Is there anything last steps I should do to make sure I'm absolutely clear?

And what can I do to prevent this from happening again?

--Brian

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 13 October 2007 - 07:11 AM

If your issures are resolved you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
To protect yourself against malware and reduce the potential for re-infection, read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"PC World's: The 10 Biggest Security Risks".
"Seven ways to keep your search history private".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 suttles95

suttles95
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount Juliet, TN
  • Local time:03:57 AM

Posted 14 October 2007 - 11:42 AM

Done...

I'll let you know if anything else pops-up...

Thanks for all of your help!

--Brian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users