Please Help Me!!

can someone please help me? my son went to a dang porn site and now my pc is wacked! I did everything to get it off. I have AVG and adware. I have xp and I turned off my restore and rebooted and ran scan and cleaned it and then turned restore back on and rebooted and it is ok for about 30 mins then I will be looking at something and it boots me to a error 404 page and then opens another window to a sex site and a little box pops up and it says "download can't be complete til you click yes" I have to x out of all that. also it changes my homepage to "coolsites" even though I change it back and deleted all the cookie at scan time. it also tires to install a xxxtoolbar. please help me rid this for good, I done ran 10 scans and they say it is healed but it isn't. please help!!!!

 

Why did you clean out your restore points? I would have suggested starting in safe mode and restoring to a safer time, before the porn site. You could download spywareblaster from this site. That might help clean it up. I notice in the settings on Spyware Blaster that the XXX toolbar is one of the things it protects against. Sorry I can't be of more help, but if you stick around, someone will be.

Welcome to MajorGeeks BTW.

 

Downlaod and run SpyBot Search and Destoy here

http://www.majorgeeks.com/download2471.html

then download spyware blaster to keep it out. I think that this should do the job.......

 

hi thanks, I didn't clean out my store points, I turned it off so when I clean the virus it wouldn't hide in restore and put it back in. thats what everyone says to do...anyone else?

 

I am sorry to report that when you "turn off" system restore, you lose all of your previous restore points. You turned it off and restarted, correct?? I really believe that SpyBot S&D can help. When you re-enable sys restore it will create a new point for you.

 

spybot didn't take it off either, it says it cleaned off 15 things but it is still here, also AVG keeps picking up a trojan called Briss.c and claims it healed it but then it shows it still there.

I tried to download the hijackthis and having problems with it too, I hit save and it shows download complete but when I try to open it I keep getting this message:
"C:/Documents and settings/ALL USERS/ DOCUMENTS/HIJACKTHIS.ZIP" THE SPECIFIED PATH DOES NOT EXIST CHECK THE PATH AND TRY AGAIN.

NOW WHAT?

 

Try setting up a new folder for HiJack this (titled maybe HiJack This ) and downloading Hijack This to that folder. That might let it set up.

 

still won't work..may have something to do with it being a zip? not sure never had a problem downloading before. man this is a pain!

 

You'll need a program like Winzip to extract that zip file, you can download it here:
http://www.majorgeeks.com/download525.html

And Ad-aware will catch stuff Spybot doesn't:
http://www.majorgeeks.com/download506.html

 

I have had the best luck using 3 things... Spybot S&D, Ad-aware and CWShredder. When those 3 are used back to back, It's gotten rid of any spyware or trojan I've ever had. Adaware needs to be updated to the latest version to get rid of the dreaded ISEARCH tool bar as well as some other crap thats out there. All are free too! Give er a whirl! Hope it helps.

M

 

ok! thanks! here is the log, PLEASE help!

Logfile of HijackThis v1.97.7
Scan saved at 6:57:25 AM, on 4/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\services\wmplayer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wintit.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\iexplore.exe
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.biblelookup.com/srchassto.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.startup.homepage","about:blank"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9vgh7d9y.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9vgh7d9y.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [ihsdoh] C:\WINDOWS\ihsdoh.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpamWasher] "C:\PROGRA~1\PANICW~1\SPAMWA~1\SWasher.exe"
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Tegrity-WebLearner-2245 - http://dell.lsua.edu/tegrity/LSUA%20Early%20Childhood%20Program/Class/TWebS.CAB
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://xronik.ud-dial.biz/1/dexGB677.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://bobvila.view22.com/view22/View22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/286/webolr/OCX/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4352/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A48386D6-7F55-4A55-9899-1104AE530C5C}: NameServer = 209.142.182.250 209.142.136.85
O17 - HKLM\System\CCS\Services\Tcpip\..\{C62A1852-9021-4A07-879B-29887195DCC5}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAE4E7EB-3B3E-40E5-8848-C78E62F5613F}: NameServer = 69.57.146.14,69.57.147.175

 

I will try that, I don't have yahoo chat anymore, but it still shows up in add and remove but when you try to delete it it says it isn't there. anyhoo, I will try these and see what happens..

 

O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe

This looks bad. AFAIK the IE executable doesnt live in there, and in any case it shouldnt be running on start up.

 

Thanks To You All! You Guys Are The Bomb! It Is Ok Now Thanks Again!!!

 

BTW ...

Positive identification: Trojan.CS
File: f:\winnt\system32\pc32.exe

 

goldfish, does that mean I need to delete that file too?

 

I'll step in while Goldy's offline...

Yes, delete it!

It might be a hidden file so make sure Show hidden files and folders is checked in Folder Options, and you might have to restart in Safe Mode to delete it.