Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Problems


  • This topic is locked This topic is locked
11 replies to this topic

#1 lorilee86

lorilee86

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:53 AM

Posted 28 November 2007 - 08:43 AM

Hi, I am new to your site and love all the information I have seen.

I was wondering if someone can help me with a problem?

When I am on the net I continually have about a 30 delay switching from site to site. Most of the time when I try to go to another site, another page comes up which redirects me to some search site, then the computer freezes for about 30 seconds. I try to close the out of the redirected site with no success.

I have scanned my computer for any viruses and run scan disk, defragged, and everything else I can think of.

I do however keep getting a virus warning that I can not seem to remove: WIN32:TINY-JC[Trj]
Which I tell Avast to delete but it keeps coming back, could this be the issue????

HELP

BC AdBot (Login to Remove)

 


m

#2 nightspydk

nightspydk

  • Members
  • 184 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 28 November 2007 - 09:12 AM

Seems to be some sort of trojan downloader thingy.

Have you tried removing it in safe mode.

In any case you better go here and read the pinned topics
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

Another thing you could try is Kaspersky anti-virus, since it seems the trojan has been added to the database.

If you cannot remove it, it might be a good idea to post a hijack this log in the approppriate section.

#3 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:53 AM

Posted 28 November 2007 - 09:19 AM

WOW! Was that a quick reply... Thank you so much for the tip, I am off to work but will try this when I get home. THANKS AGAIN

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 AM

Posted 28 November 2007 - 01:57 PM

Did your scan provide a specific file name associated with this malware threat and where is it located (file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:53 AM

Posted 28 November 2007 - 08:50 PM

Tried what you asked and attempted to start my computer in safe mode. First it showed lots of file names scrolling on the page, then finally started in safe mode. As I was attempting to run AVG the icons would not stay on the page. Rebooted again trying to start in safe mode, it got hung up. So I have shut it down with the intend of trying it in a few.

I'll continue to let you know my progress.

#6 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:53 AM

Posted 28 November 2007 - 09:04 PM

One more question, how do I send you this log if my computer is not functioning correctly? When would do I obtain hijack this file from? Thanks

#7 nightspydk

nightspydk

  • Members
  • 184 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 28 November 2007 - 09:48 PM

Run safe mode without network.
Don't worry about those files scrolling down screen, when you try run in safe mode. They are just drivers etc the operating system loads. If you get an option to skip loading a driver and you have a problem entering safe mode, just select the skip option.
Just for future reference.
About your current situation, then like I said you need to read the topics in this section.
Run through the topic from the top -
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

What about what quietman7 is asking?

#8 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:53 AM

Posted 28 November 2007 - 10:55 PM

I can't believe another night with nothing accomplished. My system was so slow that I shut it down twice and waited for awhile, then rebooted. Each time I was unable to get into safe mode. Maybe tomorrow will be better. Thanks for all the advice.

The virus stated that the file was in C:\Documents~1\LoriDe~1\Locals~1\Temp\fdgfrrqw.exe

Hope this helps.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 AM

Posted 29 November 2007 - 09:33 AM

If you cannot get your Internet working properly to download these programs, then you are going to need access to another computer (family member, friend, etc) with an Internet connection. Download the programs and save to a USB stick or CD. Then you can transfer them directly to the infected computer where you can use them.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version)
  • When the Dr.Web opens, an "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply.
Download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:53 AM

Posted 29 November 2007 - 09:25 PM

Thank you for the information and tips. I will try that and see what happens.

I did manage to start me system in safe mode this morning and run SpyBot. I had several issues:
Ad Revolver
Cache
Common Dialogs
Cookie
Ms Offic 9.0
Reliable Stats
Zedo

I thought I fixed those problems this morning. Can home tonight and thought all was well..started Internet Explorer and had a popup come up asking if I want to install this spyware program. I immediately clicked No, but it didn't stop. Tried to exit out with no luck. Immediately pulled the ethernet cable from my modem to stop installation.

Ran another scan with SpyBot and got the following files:
SHOULD I CONTINUE WITH YOUR INSTRUCTIONS NOW?

Vario.AntiVirus: Tracking cookie (Internet Explorer: Lori DeSilva) (Cookie, nothing done)


Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Cookie: Cookie (15) (Cookie, nothing done)


Cache: Cache (127) (Cache, nothing done)


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-06-15 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-05-23 advcheck.dll (1.5.3.0)
2007-07-31 Tools.dll (2.1.2.0)
2007-11-14 Includes\Cookies.sbi
2007-11-14 Includes\Revision.sbi
2007-11-06 Includes\Tracks.uti
2007-05-30 Includes\Security.sbi
2007-11-07 Includes\Malware.sbi
2007-11-07 Includes\Spybots.sbi
2007-11-14 Includes\Trojans.sbi
2007-11-14 Includes\TrojansC.sbi
2007-11-14 Includes\SpybotsC.sbi
2007-11-14 Includes\SecurityC.sbi
2007-11-14 Includes\PUPSC.sbi
2007-11-14 Includes\MalwareC.sbi
2007-11-14 Includes\KeyloggersC.sbi
2007-11-14 Includes\HijackersC.sbi
2007-11-14 Includes\DialerC.sbi
2007-10-04 Includes\Keyloggers.sbi
2007-10-31 Includes\Dialer.sbi
2007-10-24 Includes\PUPS.sbi
2007-11-07 Includes\Hijackers.sbi
2007-06-06 Plugins\TCPIPAddress.dll

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 AM

Posted 29 November 2007 - 11:35 PM

Yes. Continue with the instructions I have given.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 AM

Posted 02 December 2007 - 08:37 PM

I have moved your Hijackthis log to the Misplaced HJT Logs forum. You posted your log in a forum not intended for these logs analysis and probably missed the directions we provide to those who require assistance.

Your log can be found here.

Please follow all directions that I posted as a reply to your log. Following these instructions will ensure that your hijackthis log is properly posted so it can be reviewed in a timely manner.

If you have any questions please respond in that thread. To avoid confusion, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users