Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 op684

op684

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 05 February 2008 - 07:16 PM

My sister's computer has been infected with some sort of virus. EVery time the PC loads, the desktop background is blue with a yellow box in the middle with this text inside: "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer." Other than that, the PC is VERY slow. When I try to click links on the internet, it forwards me to some search engines instead of the links. There are constant spontaneous dating websites/pornographic pop-ups even when there are no browsers open. Also spontaneously appear shortcuts on desktop that link to pornographic material on the internet. When I tried to download Firefox from mozilla.com, the version it downloads is French, instead of English, so I had to download the English version from some other website.

I've tried everything to fix this, but to no avail. No Smitfraud, adware/spyware remover, or any other program I tried removes it. Apparently, her PC caught the virus after she was browsing some Russian celebrity news websites.

I don't want to format the hard disk and reinstall, so is there anything I can do to fix her computer?

Please help in any way you can. Thanks a lot.

Here's the HiJack report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:04, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - {292c9657-b39c-41f9-993b-b34170bc9d79} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0651E167-92CF-427A-983A-B4155E2D52E9} - C:\WINDOWS\system32\CSCDL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202187441.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\emil\LOCALS~1\Temp\wdc1.exe
O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\emil\LOCALS~1\Temp\wda2.exe
O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm3.exe
O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu4.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\emil\LOCALS~1\Temp\wdc5.exe
O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\emil\LOCALS~1\Temp\wda6.exe
O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm7.exe
O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu8.exe
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4322 bytes

Edited by op684, 05 February 2008 - 07:17 PM.


BC AdBot (Login to Remove)

 


m

#2 op684

op684
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 05 February 2008 - 10:30 PM

Bump!

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:16 AM

Posted 15 February 2008 - 12:49 PM

Hello op684,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:16 AM

Posted 26 February 2008 - 10:33 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users