PLEASE HELP!!!

Discussion in 'adware, spyware & hijack cleaning' started by CdS, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    >>>I ran Ad-aware (which found 12 objects, all .txt files in my cookies folder). The problems I'm experiencing are that my homepage keeps changing and Ad-watch keeps popping up. Windows also pop up telling me that a "Trojan horse Dialer.8.U" is found and to clean it up w/ AVG. I do that and here is the AVG log...

    Testing C:\ serial 30E4-82CA
    C:\Documents and Settings\USER\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\USER\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\CONTENT.IE5\S5WFY56X\SEXXX_~1.EXE Trojan horse Dialer.8.U
    C:\WINNT\DIALUP.EXE Trojan horse Dialer.8.U

    Test finished, duration 00:10:49.6 s
    19092 objects tested, 2 found infected

    >>>I quarantine the infected files to the vault, yet they always come back.

    >>>After following the 3 steps you have outlined, here is my HijackThis log...

    Logfile of HijackThis v1.97.7
    Scan saved at 5:57:40 AM, on 6/5/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\system32\CTSvcCDA.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\runwin32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    >>>This is a fairly new computer for me. I'm used to running Windows 98, not Windows 2000 (which I am currently running)... so, I am still a novice.

    >>>Also, a couple of (probably) related problems...
    #1: When Windows starts up, I get a window stating "Cannot Import sys.reg: Error opening the file. There may be a disk or file system error." Someone told me that it's not a big deal, but it's very irritating to have to close it everytime I reboot.
    #2: I use Soulseek everyday. Since this virus infection, Soulseek will never connect, nor will it allow me to manually. I have uninstalled and reinstalled the current version to no avail. It may possibly be a Soulseek server problem, but I'm doubting it. I believe it's because of these Trojans.

    THANKS IN ADVANCE!!!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi CdS,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz

    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe

    O4 - HKLM\..\Run: [sys] regedit -s sys.reg

    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot into safe mode and delete:
    sys.reg
    C:\WINNT\runwin32.exe

    In IE under Tools > Internet-options > Connections tab > check under LAN settings if there is a Proxy checked that should not be there. If so uncheck it.

    Regards,

    Pieter
     
  3. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    Thank you very much Pieter, it cleared the problems right up!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.