[metwo]

Suddenly my pc (running on ME) is running incredibly slowly . Trying to defrag and use scan disc is of no use as they appear to keep "tripping over" and never complete the job. Also, my default internet connection should be google but whenever i restart my PC I am automatically redirected to an unsolicited site. I change it each time on the internet conections tab but it just wont saty there!!

Please advise.

Thankyou

[Advertisements]

Welcome metwo

Sounds like the typical spyware. We can help you get rid of it and fix your computer . Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[Smokey]

Welcome metwo

Sounds like the typical spyware. We can help you get rid of it and fix your computer . Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[metwo]

Hijack Log as requested




Logfile of HijackThis v1.97.7
Scan saved at 21:05:16, on 18/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

[Smokey]

It doesn't like you posted your entire log. Please copy and paste the entire log. Thanks !

[metwo]

Logfile of HijackThis v1.97.7
Scan saved at 22:30:30, on 18/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFU\IEFU.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFU\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\IEFU\MSSEARCH.DLL
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

This is all there is!

[ditto]

Hey metwo


You may have a virus located at C:\WINDOWS\ptsnoop.exe. That file name is valid for some programs, but a backdoor trojan sometimes copies itself using valid names. We are going to do two scans of your system Please download the two programs and run them. Reboot afterwards and reply with a new log. Thanks!


Click here to download AVG
Click here to download The Cleaner

ditto

[metwo]

THE CLEANER - LOG


Filename Trojan Action
-------- ------ ------
c:\windows\desktop\j.exe PerfectKeylogger Cleaned (Delete)
c:\windows\desktop\my briefcase\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\offline web pages\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\downloaded program files\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\8nuzxvtl\noadware[1].htm PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\dhzqyakn\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\dhzqyakn\ads[1].htm PerfectKeylogger Cleaned (Delete)


AVG LOG

Results of Complete Test, date and time 19/04/2004 21:17:45 :

Testing C:\ volume GB03G3 serial 1849-1ADD
C:\MSSYSINF.EXE repaired
C:\_RESTORE\TEMP\A0060497.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0061523.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0061596.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0064681.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0065828.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0077868.CPY Trojan horse Dialer.6.C
C:\_RESTORE\TEMP\A0077873.CPY Trojan horse Dialer
C:\_RESTORE\TEMP\A0036448.0 Trojan horse Downloader.Tooncom.K
C:\_RESTORE\TEMP\A0036449.CPY Trojan horse Downloader.Tooncom.H
C:\_RESTORE\TEMP\A0036683.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0038000.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0040014.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0040204.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0040304.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042412.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042582.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042651.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042698.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042806.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042900.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0042948.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044020.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044097.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044213.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044327.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0046196.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0079363.CPY Trojan horse Downloader.Winshow.V
C:\WINDOWS\MSXMIDI.EXE Trojan horse Downloader.Winshow.R
C:\WINDOWS\IMAGE.DLL Trojan horse Downloader.Winshow.W
C:\WINDOWS\Application Data\IEFU\IEFU.DLL Trojan horse Downloader.Winshow.V
C:\Program Files\Common Files\UPDATER\DELUPDAT.EXE repaired

Test finished, duration 00:10:02.9 s
16609 objects tested, 32 found infected

The avg system showed that the pc is infected with trojan horse downloader.toon.comk and recommended that I click the "move to virus fault" button. However when I clicked the button to do so the message "Can not be removed" appeared!!


Thanks for you help so far! What next?

[admin]

AVG is unable to remove the virus because it's located in a system restore file. Restart your computer in Safe Mode (by tapping F8 at startup and selecting Safe Mode from the menu).

Disabling system restore:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

Run a system scan with AVG. When finished restart, and enable system restore again.

[metwo]

Sorry but I cant seem to make this work. I am running windows ME. At what point do I press F8 (I am not sure what you mean by at start up). Also clicking properties on my computer doesnt give a system restore tab?

Please help.

Thanks

[admin]

Instead of tapping F8 you can also try holding down the CRTL (control) key. You do this right as your computer restarts. More info here:
http://service1.syma...ExpandSection=4

Here's a link to disabling system restore in ME:
http://service1.syma...src=sec_doc_nam

[Resident_Blonde]

Hey Metwo,

Try this on getting it to start in "safe mode"

Start, shutdown, then hit the restart button....

And once you hit the restart button hold down the CTRL key, then as your puter is coming back up, you may get a black screen stating "stuck key" Then you will have a option of resuming "F2" click on F2 and continuing holding the CTRL key till the Options of "Safe Mode" comes up, then select the safe mode selection...

I hope this helps...
staci

[metwo]

yup, thanks

[metwo]

I have now completed the steps suggested and all trojans, spyware etc appear to have banished.

This service is absolutely fantastic. Thanks to all for their help

Keep up the good work.

[ditto]

You're quite welcome. I'm glad we could help you out.