Options

Problems with Trojans

Unknown
edited December 2005 in Spyware & Virus Removal
I have at least 7 viruses on this computer, all of them being Trojans. I can't view a lot of websites on Internet Explorer and MSN Messenger doesn't work properly, and this pop up for "Best Offers" keeps popping up almost every time I open or refresh the browser. I don't know about any other abnormalities (this is my aunt's computer), but I haven't the faintest clue how to remove them. Here is the list of trojans according to AVG Free Virus Scanner:

Dropper.Surfside.A
Downloader.Generic.BUN
Backdoor.Sdbot.112.AX (four different files)
Downloader.Agent.AOD
Downloader.Generic.ALF
Downloader.Generic.BUN

Please can someone tell me how to remove these viruses? Windows ME is on this computer.

Comments

  • chiazchiaz
    edited November 2005
    Please download and run A-squared Free.
    http://www.emsisoft.com/en/software/free/
    Fix whatever it finds and reboot.

    Please run this online scan:
    http://housecall.trendmicro.com/
    and reboot.

    Open 'My Computer', then double-click to open C:\ (or the drive letter that your Windows is installed)
    In the menu bar, click File-->New-->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ or C:\HijackThis\ folder.
    Now download this program to that folder you created:
    http://castlecops.com/downloads-file-328.html

    Now go to the folder and unzip the program.
    Double click on HiJackThis.exe
    Click on "Do a System Scan and Save a log"
    Save the log and copy and paste that log back here to this thread.

    DO NOT FIX ANYTHING YOURSELF!
  • JediKathrynIsmal
    edited November 2005
    Here is the log you requested:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:34:01 AM, on 11/20/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\A-SQUARED\A2GUARD.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\1132461195\EE\AOLHOSTMANAGER.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\1132461195\EE\AOLSERVICEHOST.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\1132461195\EE\AOLSERVICEHOST.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\FREE DOWNLOAD MANAGER\FDM.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.2607.0\EN-US\MSNTB.DLL
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132461195\ee\AOLHostManager.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0006.exe
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
    O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab

    I encountered a few other problems while trying to do all of this. I couldn't run the second program because when I clicked on the link the program wouldn't even come up, and when I opened the C:\ folder, I found that I couldn't see any of the files unless I put the "Folders" option on the side.
  • webwarriorwebwarrior
    edited November 2005
    Back up and format ASAP!

    They will download more to your machine, or rename themselves.

    Is this a critical machine?
  • TroganTrogan London, UK
    edited November 2005
    JediKathrynIsmal, please DO NOT listen to webwarrior at all.

    Webwarrior, please do not tell users to format their computer. Formatting is only a last resort, which barely happens with infected computers. Yeah, it would be easier for everyone just to format after one virus or spyware attack but there is no need.

    So, pleae keep your formatting comments to yourself....Thanks :)
  • chiazchiaz
    edited November 2005
    I don't like the looks of your log. There are pretty nasty stuff in there.
    Please download the following Symantec's removal tool and run it:
    http://securityresponse.symantec.com/avcenter/FxIeplgn.exe
    Reboot.

    Please download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

    1) Run Ad-Aware, and click Check for updates now.

    2) Select Configurations (click the Gear wheel at the top) as follows:
    • General Button > Safety & Settings: Check (Green) all three.
    • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
    Click Proceed.

    3) To start the scan, Click > "Scan Now" at left
    • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
    • Select "Search for low-risk threats"
    • Select "Perform full system scan"
    • Click Next
    4) When the scan has completed, select Next.
    • In the Scanning Results window, select the "Critical Objects" tab.
    • Right-click on the screen and choose "Select all objects"
    • In the "Scan Summary" tab, check the box next to each additional "target family" you wish to remove.
    • Click Next to remove the objects selected, and click OK to the prompt.
    • Restart the computer.

    Download Spybot S&D 1.4 here:
    http://safer-networking.org/en/news/2005-05-31.html
    or
    http://www.majorgeeks.com/download2471.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in RED by pressing "Fix selected problems".
    Close Spybot S&D, reboot your system.


    Rescan with HijackThis and post a fresh log.
  • TroganTrogan London, UK
    edited December 2005
    Jenya, please start your own thread.

    It states clearly at the top in BIG RED LETTERS not to post your log in the thread of someone else.


    Thanks :)
  • jenya
    edited December 2005
    sorry, I am starting my own thread
  • TroganTrogan London, UK
    edited December 2005
    No problem :)


    Either myself or someone else will help you out soon :)
Sign In or Register to comment.