PLEASE HELP!!!

Discussion in 'adware, spyware & hijack cleaning' started by CdS, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    >>>I ran Ad-aware (which found 12 objects, all .txt files in my cookies folder). The problems I'm experiencing are that my homepage keeps changing and Ad-watch keeps popping up. Windows also pop up telling me that a "Trojan horse Dialer.8.U" is found and to clean it up w/ AVG. I do that and here is the AVG log...

    Testing C:\ serial 30E4-82CA
    C:\Documents and Settings\USER\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\USER\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\CONTENT.IE5\S5WFY56X\SEXXX_~1.EXE Trojan horse Dialer.8.U
    C:\WINNT\DIALUP.EXE Trojan horse Dialer.8.U

    Test finished, duration 00:10:49.6 s
    19092 objects tested, 2 found infected

    >>>I quarantine the infected files to the vault, yet they always come back.

    >>>After following the 3 steps you have outlined, here is my HijackThis log...

    Logfile of HijackThis v1.97.7
    Scan saved at 5:57:40 AM, on 6/5/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\system32\CTSvcCDA.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\runwin32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    >>>This is a fairly new computer for me. I'm used to running Windows 98, not Windows 2000 (which I am currently running)... so, I am still a novice.

    >>>Also, a couple of (probably) related problems...
    #1: When Windows starts up, I get a window stating "Cannot Import sys.reg: Error opening the file. There may be a disk or file system error." Someone told me that it's not a big deal, but it's very irritating to have to close it everytime I reboot.
    #2: I use Soulseek everyday. Since this virus infection, Soulseek will never connect, nor will it allow me to manually. I have uninstalled and reinstalled the current version to no avail. It may possibly be a Soulseek server problem, but I'm doubting it. I believe it's because of these Trojans.

    THANKS IN ADVANCE!!!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi CdS,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz

    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe

    O4 - HKLM\..\Run: [sys] regedit -s sys.reg

    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot into safe mode and delete:
    sys.reg
    C:\WINNT\runwin32.exe

    In IE under Tools > Internet-options > Connections tab > check under LAN settings if there is a Proxy checked that should not be there. If so uncheck it.

    Regards,

    Pieter
     
  3. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    Thank you very much Pieter, it cleared the problems right up!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.