Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Toolbar And Viruses


  • This topic is locked This topic is locked
6 replies to this topic

#1 Cobra2

Cobra2

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 14 October 2006 - 07:46 PM

Hi My son is infected and cant use is computer he as a toolbar that links too porn sites, each time he
try's to connect to Internet AVG keeps detecting viruses that cant be fixed or sent to vault
He has Spyware Doctor he cleans but all reinstalls I told him too deactivate system restore.
I can see lines to be removed but would appreciate Your opinion cause I'm not sure of a couple
Thanks for taking time to read this :thumbsup:

Heres the log file
Logfile of HijackThis v1.99.1
Scan saved at 12:43:54, on 2006-10-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\DOCUME~1\Jef\LOCALS~1\Temp\Répertoire temporaire 1 pour hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsp4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmick.exe] C:\WINDOWS\system32\dmick.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysaver.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28588A67-5807-4EF2-A0B6-4410E53A0ED5}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{41E593A8-7A92-4616-8453-564CE7FA9D22}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FBE66B1-1DA6-4849-BAFC-B781840ED36D}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.188
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

Edited by Cobra2, 14 October 2006 - 09:57 PM.


BC AdBot (Login to Remove)

 


#2 Cobra2

Cobra2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 October 2006 - 04:34 AM

Forgot to mention that he cant do an online scan is connection keeps cutting off..... :thumbsup:

#3 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:08:10 PM

Posted 15 October 2006 - 06:12 AM

Hi Cobra2 and welcome to Bleeping Computer :thumbsup:

You should turn the system restore on. Even a dirty backup is better that no backup at all.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download HijackThis to your desktop from here -> HijackThis 1.99.1
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.

Please download FixWareout from one of these sites:Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
UNITE & ASAP member since 2006
Posted Image
Posted Image

#4 Cobra2

Cobra2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 16 October 2006 - 10:10 PM

Hi ,Gave my son all the info You gave me Mr_JAk3 he downloaded and ran Fixwareout but I didn't receive the Report. txt but sent me a new HijackThis log, he did put Spyware Doctor update witch removed that porn toolbar and was possible too stop viruses coming in by delete or heal . I was not too happy that he did this
instead of what You had suggested but he lives on his own now so cant see what he does :thumbsup: , so here is the latest log file hasn't change much except for line 02 system32\nsp4.dll as change too system32\nsz4.dll
Thanks for Your first reply :flowers:

Logfile of HijackThis v1.99.1
Scan saved at 21:47:19, on 2006-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MACE: Internet Explorer v6.00 SAP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.ex
C:\WINDOWS\system32\csrss.ex
C:\WINDOWS\system32\winlogon.ex
C:\WINDOWS\system32\services.ex
C:\WINDOWS\system32\lsass.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\DOCUME~1\Jef\LOCALS~1\Temp\Répertoire temporaire 2 pour
hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} -
C:\WINDOWS\system32\nsz4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin
Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
- http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) -
http://cabs.media-motor.net/cabs/joysaver.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{28588A67-5807-4EF2-A0B6-4410E53A0ED5}:
NameServer = 85.255.116.59,85.255.112.188
O17 -
HKLM\System\CCS\Services\Tcpip\..\{41E593A8-7A92-4616-8453-564CE7FA9D22}:
NameServer = 85.255.116.59,85.255.112.188
O17 -
HKLM\System\CCS\Services\Tcpip\..\{9FBE66B1-1DA6-4849-BAFC-B781840ED36D}:
NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.59
85.255.112.188
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. -
C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program
Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:08:10 PM

Posted 17 October 2006 - 01:57 AM

Hi again :thumbsup:

The C:\fixwareout\report.txt is really important. Please ask your son to post it .
It has some essential information that we need in the cleaning process.

Please post the contents of report.txt and we'll continue.

NOTE. If the file has already been removed, please run Fixwareout again. It will produce a fresh report.txt. Post the contents of that file to here.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#6 Cobra2

Cobra2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 October 2006 - 02:33 AM

Hi Mr_JAk3
Well got in touch with my son only too find out he formatted is HD, needless too say
how I felt, so told him next time You do the search to fix it Yourself :thumbsup:

But do want too Thank You for Your time :flowers:
and all is not lost if ever this happens to me I will know what too do first and have saved Your links.

Sorry about this !!

Thanks for the help and info, Wishing You a Good Day :huh:

#7 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:08:10 PM

Posted 18 October 2006 - 03:55 AM

Don't worry, it is ok :thumbsup:

You're very welcome :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users