Member Panel

PraiseJah

I'm on my cousins computer and she says its been acting funny. No sound for one, its really slow, has a hard time getting online, and freezes and I think thats it on this one. . The other computer she has doesnt get on the internet even though it has a connection, its deathly slow, freezes at the drop of a hat and stuff like that. . I cant get a HJT file from it though cause I cant get it online. . Here is the log for this computer though. Thanks.

joe5

Hya Praisejah , i believe you when you say that that computer is acting funny. :icon_joke

Its infected pretty bad im afraid , first can you follow the "Prework" instructions , see for a link below in my sig , and run stinger and atleast one online AV scan , see also below for links.

Then i would also recommend a Spysweeper scan:

Download and scan with Spysweeper from:
http://www.webroot.com/downloads/ (click on free trial.)

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.

Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
Check "Local Disc C" and under "What to Sweep", check every box.
Click on "Sweep" and allow it to fully scan your system.
When the sweep has finished, click "Remove" to remove any items found.

Click on "Results" and then on the "Session Log" tab.
Then click on "Save to File" and save the log to youre desktop.

Close SpySweeper.

NOTE: After Spysweeper has finishined and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

Then please attach the Ewido log , the Spysweeper log and a new hjt log please.

Also there are 2 AV apps running now , that is costing performance and conflict issues and is doing more harm then good im afraid. Its best to uninstall one , or disable its autoprotect/realtime scanning.

And you can follow most steps on the second pc by copying things to floppy/cd and install them that way.
But please make a separete topic for the second pc , it would get abit confusing to fix two pc's in one topic.

PraiseJah

Here are the log files :-)

joe5

That has cleaned up alot.

But can you also post a new hjt log? Then i can have a look what else needs to be done.

PraiseJah

this is 4 u thanks

joe5

Alright , let's clean those little buggers up .

Before fixing things with HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

NOTE: If you want/use the Viewpoint toolbar then you can leave those , then don't fix the Viewpoint entry's from it with hjt.

Please download Nailfix from here:

http://www.noidea.us/easyfile/file.p...50515010747824

Unzip it to the desktop but please do NOT run it yet.

Please download CCleaner

And also download this tool:

http://securityresponse.symantec.com...r/FxIstbar.exe

And uninstall some apps from Add/Remove Programs:

1) Click on Start, Settings, Control Panel
2) Double click on Add/Remove Programs
3) Find these apps in the list of installed programs and click on Change/Remove to uninstall them , if present:

My Web Search
My Way Speedbar
Search Assistant - My Way
BestOffers Shopping

And also uninstall Viewpoint there , if you don't want to keep it.

Boot in Safe Mode (hit f8 when booting up) , and run the Nailfix by dubbleclicking on nailfix.cmd and let it run.

After that also run the Symantec's "FxIstbar.exe" tool.

And then fix these entry's with hjt:
(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-0000-4D01-B57C-F87CD586B697} - C:\Program Files\8ue4w3z5\8ue4w3z5.dll (file missing)
O2 - BHO: (no name) - {00198FF8-6EF8-4718-953B-51FF68D3652E} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {0C3B734B-83EA-4A60-8726-1C1EE0182FA3} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {29707239-C6E5-4D12-AF04-6834ED9AFFF6} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {A4F8C985-9E62-4989-93F2-E8D0162D64A0} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {C51454E7-136E-415E-A419-5586C75FDEE6} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {D31E13CA-0973-4AFB-A5B5-751C906A418A} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {F4742931-0FE9-4C81-BF98-E13140000C75} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O2 - BHO: (no name) - {F66DB12A-48D2-4E7F-A7C4-6B86EBA34442} - C:\Program Files\CSBB\CSBB.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [Nvqodagn] C:\Program Files\Eezixvc\Fahfd.exe
O4 - HKLM\..\Run: [???K0???]??"????ig?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rfwbvffh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [???K0???]??"???1???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rfwbvffh.exe
O4 - HKLM\..\Run: [zxkzve] C:\WINDOWS\System32\bweywvp.exe r
O4 - HKCU\..\Run: [frif] C:\PROGRA~1\COMMON~1\frif\frifm.exe
O4 - HKCU\..\Run: [ContextUninstall] C:\WINDOWS\STUninstall.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm185XXUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab

And then delete the files in bold.

Just to be sure run the Nailfix again...and also run cclreaner.

Restart your computer in normal mode and please post a new HijackThis log.

Also i see that you have the windows messenger srvice running , if you don't use it then i would disable it:

Please download Shoot The Messenger

Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state ? running or disabled ? that you desire.

If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.

PraiseJah

this is 4 you