Do you have Adware, Spyware, Virus/Trojan or a Browser Hijacker?

Discussion in 'Windows - Virus and spyware problems' started by CJC, Nov 21, 2004.

Thread Status:
Not open for further replies.
  1. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    585
    Likes Received:
    1
    Trophy Points:
    26
    Do you have Adware, Spyware, Virus/Trojan or a Browser HiJacker ??

    Even if you dont have any of the above that you know of, running these programs will help you keep clear of these nasties and keep your computer in tip top shape.


    First program to run is

    Adaware SE Personal A free program by Lavasoft, which you can download from
    http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1

    First off, after you have installed this, click on the Update Icon which looks like

    [​IMG]

    Click on the Connect button, this will search and make sure it has the latest updates.

    If it doesnt have the latest updates it will say it has found updates.

    Click on Ok, if it has the latest, click on Finish with the Green Tick.

    Now the updating is done, now its time to scan your computer.

    Click on the Start button at the bottom right hand side of the screen, then click Next.

    This is now scanning your Hard drive for Adware, this may take a little while depending on your hard drive size and the amount of files you have.

    Once it has finished click Next.

    It will now show you the Critical Objects.

    Right click somewhere in that area then select Select all objects.

    Now click on the Negligible Objects tab then do the same.

    Then click Next. It will now say, XX objects will be removed. Continue?

    Click on Ok.

    Now you can close the program and run Spybot.


    The Second program to run is

    Spybot - Search and Destroy also another free program, which you can download from

    http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10289035.html?tag=lst-0-2

    Ok, like Adaware, you will need to update this.

    You can do this by clicking the Update Icon which looks like this

    [​IMG]

    Now click on the Search for Updates button at the top of the screen.

    This will connect to the Spybot servers and check to see if there is any updates.

    If there is, they will be listed in the white space below the buttons, otherwise it will say No New Updates.

    Click on the CheckBoxes next to each of the updates then click on Download Updates.

    Ok, now your all up to date, click on Search & Destroy on the top left hand side, then click on Check for Problems.

    The speed will vary once again from Hard Drive size etc.

    This in most cases takes longer then Adaware.

    Once its scanned, they should have Ticks already in the Check Boxes, if they dont, tick them.

    Now click on Fix Selected Problems near the Check for Problems button

    Now that you have run those, now its time to run an Online Virus Scan.

    Go to http://housecall.trendmicro.com

    Under the Scan Your PC heading, click on Scan Now. Its Free!

    Now from the drop down box, Select the Country you are from then click Go

    Once it has updated you are ready to select your hard drive and scan.

    If you are running Windows XP, you will need to choose the Install ActiveX when the warning bar appears, otherwise it wont go any further.

    Click in the Check Box next to the drive you want to scan (eg C:\) then on the right hand side Click in the Check Box near AutoClean

    Now click on Scan

    Let that scan. It will then display if you have any viruses, and if it cant auto clean, click on the file then click on Delete on the right.

    [NEW ADDITION 13/12/04]

    How to Remove Browser Hijacker

    Download Adware Away (free 5 day trial) from

    http://www.download.com/Adware-Away/3000-8022_4-10342100.html?tag=lst-0-1

    Open up Adware Away

    Now click on the Scan Button, and this will do a scan on some potential security

    issues.
    It will also see if there is a keylogger installed.

    3/4 of the way through this scan, it will say detect keylogger, make sure you

    press ENTER and not click on the button.

    Once it has complete, click Next

    Generally it will have a few SERVICE: xxx -- Not Necessary, you dont relaly need to

    worry about that, and usually there is a C:\Windows\System32\userinit.exe, you dont need

    to worry about that either. If there is anything else, put a tick then go Fast

    Fix
    .

    Now on the left hand side click on Remove Hijackers.
    Down the bottom it will have Scan Allb

    Once it has scanned it will show something like Totally Found [xx] Malware Objects!

    Scan About:Blank Hijacker ... Start
    Scan About:Blank Hijacker ... Finished
    Scan About:Blank Hijacker (Real blank page ) ... Start
    Found [10] About:Blank Hijacker (Real blank page ) Objects.
    Scan About:Blank Hijacker (Real blank page ) ... Finished
    Scan About:Blank Hijacker Variant 5 ... Start
    Found [0] About:Blank Hijacker Variant 5 Objects.
    Remove About:Blank Hijacker Variant 5 ... Finished

    Now, find About:Blank Hijacker (Real blank page ) in the top right hand box, then select

    Remove.

    You will now see something like
    Remove About:Blank Hijacker (Real blank page ) ... Start
    The following operation will make your desktop disappear, don't worry about it.
    Totally [10] About:Blank Hijacker (Real blank page ) Objects were removed.
    Remove About:Blank Hijacker (Real blank page ) ... Finished

    Click on Scan All again, and it should now say - Totally Found [0] Malware

    Objects!

    Move onto the next one, which is Remove Adwares. Do the same to Adwares, Spywares and

    Trojan & Worms.

    Now you are complete.

    Now you should be Adware, Spyware and Virus FREE.

    I Recommended that you run these every week or every fortnight to keep your computer clean and running nice, with not nasties (except Adware away as its only a 5 day trial)

    CJC
     
    Last edited: Dec 12, 2004
  2. tarroso

    tarroso Guest

    Help! I don't know what else to do!
    I've scanned my sustem with Ad-aware, Spybot and Hijackthis. I've also made a scan with Norton Antivirus. These are all updated, I've done this today. I think I still have something, because I can't open google.com (only google.fi) or hotmail.com.
    The Hijackthis gave me the following results:

    Logfile of HijackThis v1.97.7
    Scan saved at 13:26:12, on 24-11-2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\htpatch.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ESB.exe
    C:\WINDOWS\System32\4mtcsb.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Programas\Synaptics\SynTP\SynTPLpr.exe
    C:\Programas\Synaptics\SynTP\SynTPEnh.exe
    C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\mshepl.exe
    C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
    C:\Programas\Cisco Systems\VPN Client\cvpnd.exe
    C:\Programas\Ficheiros comuns\EPSON\EBAPI\eEBSVC.exe
    C:\Programas\Ficheiros comuns\EPSON\EBAPI\SAgent2.exe
    C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
    C:\Programas\Norton AntiVirus\navapsvc.exe
    C:\Programas\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programas\Virtual CD v4 SDK\system\vcssecs.exe
    C:\Programas\Norton Internet Security\ccPxySvc.exe
    C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
    C:\Programas\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\rsvp.exe
    C:\Programas\Internet Explorer\iexplore.exe
    C:\Documents and Settings\eu\Ambiente de trabalho\HijackThis.exe
    C:\Programas\Symantec\LiveUpdate\AUpdate.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pesquisa.clix.pt/ie5.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.clix.pt
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer disponibilizado por Clix
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uminho.pt:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
    O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus CX3200 (cópia 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P29 "EPSON Stylus CX3200 (cópia 1)" /O6 "USB001" /M "Stylus CX3200"
    O4 - HKLM\..\Run: [UStorage] c:\programas\u-storage tools2.1\ustorage.exe sys_auto_run C:\Programas\U-Storage Tools2.1
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [xjggtzhjkfr] C:\WINDOWS\system32\xjotdxy.exe
    O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Clock] C:\WINDOWS\osk.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Sitecom WLAN Client Utility.lnk = ?
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://www.clix.pt
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38083.4124421296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{99FA1E8A-704B-4512-83E1-79720170518C}: NameServer = 209.47.15.118,64.157.143.38,194.100.224.4,194.100.224.2

    If someone could help me I would appreciate it, because I really donn't know what's going on. Thanks!
     
  3. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    585
    Likes Received:
    1
    Trophy Points:
    26
    Sorry for the delay, been busy at work.

    Go in and delete 4mtcsb.exe file

    Click in the boxes next to these and click Fix


    C:\WINDOWS\System32\4mtcsb.exe
    C:\WINDOWS\mshepl.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pesquisa.clix.pt/ie5.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.clix.pt
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer disponibilizado por Clix
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uminho.pt:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    R3 - Default URLSearchHook is missing

    **O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe (Dont know what this is, if you do, keep it, if not tick)

    O4 - HKLM\..\Run: [xjggtzhjkfr] C:\WINDOWS\system32\xjotdxy.exe
    O4 - HKCU\..\Run: [Clock] C:\WINDOWS\osk.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.clix.pt
    O17 - HKLM\System\CCS\Services\Tcpip\..\{99FA1E8A-704B-4512-83E1-79720170518C}: NameServer = 209.47.15.118,64.157.143.38,194.100.224.4,194.100.224.2

    CJC
     
  4. tarroso

    tarroso Guest

    I've done everything except deleting that file because it seemed like my easy start button needed that. I've scanned my computer with norton antivirus, F-Secure, Spybot, Ad-Aware, Hijackthis and Giant Antispyware. F.Secure found some trojans and renamed them. I deleted the renamed files. Still I have problems, I still can't connect to google.com, msn.com, symantec.com, windows update and now it's very difficult to connect to msn messenger. I'm starting to believe the best option is to format the whole thing, because no one seems to know what's up with my computer :(
    Anyway, I appreciate the help, and I hope someone will help me until saturday, otherwise I will spend Sunday backing up my disks
     
  5. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    585
    Likes Received:
    1
    Trophy Points:
    26
    Hey

    Try deleting your Temp files and Temp Internet Files.

    By the sounds of it your computer has been pretty well infected with a fair bit of stuff.

    Its possible the trojan/virus etc has changed something in the HOSTS file which is telling your comptuer to look elsewere for those sites.

    CJC
     
  6. tarroso

    tarroso Guest

    Hi,

    Well, I did all that but the I noticed some weird dns servers which appeared in the hijackthis logs ofother people with the same problem. Then I went to my network connections settings and I found out that there were 4 dns servers in the favorites. Two of them were very alike and so I assumed that they were the "real" ones. The other two were those I mentioned, and they were active. I deleted them from the favorites and I put again the "real" ones (one as alternate). I made a reboot and nnow everything seems ok, I think I will see how it goes for a couple of days and if it's not ok I will post here again and have my disks formatted. Do you think I messed up? Thank you very much for your help :)
     
  7. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    585
    Likes Received:
    1
    Trophy Points:
    26
    At least its working :)

    Glad you kind of got it sorted.

    If you have any more problems, post away.

    CJC
     
  8. tarroso

    tarroso Guest

    Well, I just wanted to say that those "strange" DNS servers weren't recognized by the company from which I get the internet connection. So I guess they were really fake.
     
  9. tarroso

    tarroso Guest

    By the way, here they are:

    209.47.15.118
    64.157.143.38
     
  10. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    585
    Likes Received:
    1
    Trophy Points:
    26
    The First IP is registered to:
    Colosseum Online Inc. COLOSS-VLAN155-BLK1

    The Second IP is:
    Level 3 Communications, Inc.

    CJC
     
  11. tarroso

    tarroso Guest

    Is that suspicious? I mean it isn't legitimate, is it?
     
  12. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    585
    Likes Received:
    1
    Trophy Points:
    26
    Both those places look like they could be a ISP or a large company cause they both have a fair amount of IPs, so it could just be one of their clients.

    I think its suspicious

    CJC
     
  13. tarroso

    tarroso Guest

    OK, but they're gone anyway and all I have is the ones that my internet company gave me. Thanks!
     
  14. DopeFreak

    DopeFreak Regular member

    Joined:
    Mar 15, 2004
    Messages:
    194
    Likes Received:
    0
    Trophy Points:
    26
    Get Mcaffe Anti Spyware it is the best by far but use both adaware se Mcaffe gets rid of major spyware that fuks up the computer adaware only cathces the minor
     
  15. geestar20

    geestar20 Active member

    Joined:
    Mar 5, 2004
    Messages:
    2,902
    Likes Received:
    0
    Trophy Points:
    66
    So does Norton Internet Security. IMO Norton is the best by far.
     
  16. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    585
    Likes Received:
    1
    Trophy Points:
    26
    I agree with Geestar20, Using all types of AntiVirus etc programs on not only my computer, but customer computers, Nortons is one of the best.

    CJC
     
  17. tarroso

    tarroso Guest

    yes, i thought norton was the best, but it didn't detect anything and f-secure detected some trojans. so i don't know what to think. anyway i thnik my computer is still healthy, and that's what matters to me.
     
  18. geestar20

    geestar20 Active member

    Joined:
    Mar 5, 2004
    Messages:
    2,902
    Likes Received:
    0
    Trophy Points:
    66
    The Norton 2005 and Internet Security detects Viruses an spyware and has a personal firewall...what more can you ask for.

    Quoted from nortons web site:

    http://www.symantec.com/sabu/nis/nis_pe/features.html
     
    Last edited: Dec 7, 2004
  19. tarroso

    tarroso Guest

    ok, you're probably right, i didn't have the norton 2005, i had the version that came with my computer about 6 months ago, the firewall and the antivirus. i'll check the new version. thanks!
     
  20. DarrenOk

    DarrenOk Member

    Joined:
    Nov 27, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    I have just uninstalled Adaware 6.0 latest update which identified no problems. I installed Adaware se personal and it has found approx 100. Make your own conclusions up.
     
Thread Status:
Not open for further replies.

Share This Page