Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SLOW


  • Please log in to reply

#1
metwo

metwo

    New Member

  • Member
  • Pip
  • 7 posts
Suddenly my pc (running on ME) is running incredibly slowly . Trying to defrag and use scan disc is of no use as they appear to keep "tripping over" and never complete the job. Also, my default internet connection should be google but whenever i restart my PC I am automatically redirected to an unsolicited site. I change it each time on the internet conections tab but it just wont saty there!!

Please advise.

Thankyou
  • 0

Advertisements


#2
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Welcome metwo :D

Sounds like the typical spyware. We can help you get rid of it and fix your computer <_<. Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results. :D
  • 0

#3
metwo

metwo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hijack Log as requested




Logfile of HijackThis v1.97.7
Scan saved at 21:05:16, on 18/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
  • 0

#4
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
It doesn't like you posted your entire log. Please copy and paste the entire log. Thanks <_<!
  • 0

#5
metwo

metwo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.97.7
Scan saved at 22:30:30, on 18/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFU\IEFU.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFU\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\IEFU\MSSEARCH.DLL
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

This is all there is!
  • 0

#6
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
Hey metwo


You may have a virus located at C:\WINDOWS\ptsnoop.exe. That file name is valid for some programs, but a backdoor trojan sometimes copies itself using valid names. We are going to do two scans of your system Please download the two programs and run them. Reboot afterwards and reply with a new log. Thanks!


Click here to download AVG
Click here to download The Cleaner

ditto
  • 0

#7
metwo

metwo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
THE CLEANER - LOG


Filename Trojan Action
-------- ------ ------
c:\windows\desktop\j.exe PerfectKeylogger Cleaned (Delete)
c:\windows\desktop\my briefcase\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\offline web pages\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\downloaded program files\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\8nuzxvtl\noadware[1].htm PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\dhzqyakn\desktop.ini PerfectKeylogger Cleaned (Delete)
c:\windows\temporary internet files\content.ie5\dhzqyakn\ads[1].htm PerfectKeylogger Cleaned (Delete)


AVG LOG

Results of Complete Test, date and time 19/04/2004 21:17:45 :

Testing C:\ volume GB03G3 serial 1849-1ADD
C:\MSSYSINF.EXE repaired
C:\_RESTORE\TEMP\A0060497.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0061523.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0061596.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0064681.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0065828.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0077868.CPY Trojan horse Dialer.6.C
C:\_RESTORE\TEMP\A0077873.CPY Trojan horse Dialer
C:\_RESTORE\TEMP\A0036448.0 Trojan horse Downloader.Tooncom.K
C:\_RESTORE\TEMP\A0036449.CPY Trojan horse Downloader.Tooncom.H
C:\_RESTORE\TEMP\A0036683.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0038000.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0040014.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0040204.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0040304.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042412.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042582.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042651.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042698.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042806.CPY Trojan horse Downloader.Esepor.AA
C:\_RESTORE\TEMP\A0042900.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0042948.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044020.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044097.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044213.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0044327.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0046196.CPY Trojan horse Downloader.Winshow.X
C:\_RESTORE\TEMP\A0079363.CPY Trojan horse Downloader.Winshow.V
C:\WINDOWS\MSXMIDI.EXE Trojan horse Downloader.Winshow.R
C:\WINDOWS\IMAGE.DLL Trojan horse Downloader.Winshow.W
C:\WINDOWS\Application Data\IEFU\IEFU.DLL Trojan horse Downloader.Winshow.V
C:\Program Files\Common Files\UPDATER\DELUPDAT.EXE repaired

Test finished, duration 00:10:02.9 s
16609 objects tested, 32 found infected

The avg system showed that the pc is infected with trojan horse downloader.toon.comk and recommended that I click the "move to virus fault" button. However when I clicked the button to do so the message "Can not be removed" appeared!!


Thanks for you help so far! What next?
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,489 posts
AVG is unable to remove the virus because it's located in a system restore file. Restart your computer in Safe Mode (by tapping F8 at startup and selecting Safe Mode from the menu).

Disabling system restore:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

Run a system scan with AVG. When finished restart, and enable system restore again. <_<
  • 0

#9
metwo

metwo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry but I cant seem to make this work. I am running windows ME. At what point do I press F8 (I am not sure what you mean by at start up). Also clicking properties on my computer doesnt give a system restore tab?

Please help.

Thanks
  • 0

#10
admin

admin

    Founder Geek

  • Administrator
  • 24,489 posts
Instead of tapping F8 you can also try holding down the CRTL (control) key. You do this right as your computer restarts. More info here:
http://service1.syma...ExpandSection=4

Here's a link to disabling system restore in ME:
http://service1.syma...src=sec_doc_nam
  • 0

#11
Resident_Blonde

Resident_Blonde

    Formerly known as "Crafty_Girl"

  • Member
  • PipPipPip
  • 558 posts
Hey Metwo,

Try this on getting it to start in "safe mode"

Start, shutdown, then hit the restart button....

And once you hit the restart button hold down the CTRL key, then as your puter is coming back up, you may get a black screen stating "stuck key" Then you will have a option of resuming "F2" click on F2 and continuing holding the CTRL key till the Options of "Safe Mode" comes up, then select the safe mode selection...

I hope this helps...
staci
  • 0

#12
metwo

metwo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
yup, thanks
  • 0

#13
metwo

metwo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I have now completed the steps suggested and all trojans, spyware etc appear to have banished.

This service is absolutely fantastic. Thanks to all for their help :D :D <_<

Keep up the good work.
  • 0

#14
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
You're quite welcome. I'm glad we could help you out. <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP