Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ADVICE Needed.. TOONCOM virus wont go away!!

Status
Not open for further replies.
StressedTechie

StressedTechie

Technical User
Jul 13, 2001
367
GB
HI
One of my users (just happens to be the MD) recieved some spam mail the other day. It was opened by accident and this troj/tooncom-b virus was activated.

I am running sophos and it did its job. It identified iedll.exe as containing the virus. I deleted this file and the system looked okay.

HOWEVER
On the next reboot the virus has gone but his favourites folder is filled full of Porno URLS and the default omepage is some spurious search page, I have searched the internet and followed Sophos, Mcafee, Nortons etc.

I have deleted the Loader.exe
I have searched the Registry and deleted the the loader and loadergui files from Local user.
This has now got rid of the tooncom default page and replaced it with hand-held.com Its doing my bloody head in. The people that write these things should be dragged into the streets screaming and shot!! Sorry I am cheesed off I have spent all morning trying to rid his pc of this infernal problem.

Any advise greatfully recieved. I am contemplating flattening his machine!!
 
Sort by date Sort by votes
Look in the HKCU and HKLM run sections
Any entry with regedit -s loads a registry change
at each boot.
Could also place a log from hijackthis here for inspection of course.Maybe someone can pick something fishy out
from it.

 
Upvote 0 Downvote
what happened is basically the difference between traditional AV's and the new breed of AV's. basically the malwares of today are more complicated than before. Before, whenever you detect a malware you can just delete them. recent malwares cling to the system thru INI files, registry and active process memory. This is what we call system disinfection. With system disinfection, all reversible system modification is reverted back as much as possible.
 
Upvote 0 Downvote
StressedTechie

It's a CWS hijacker

Download and run this program and I guarantee it will clean it out for you.


If you then want to post a hijackthis log....we can see if you have any other problems of a similar nature

Please Download hijackthis from


Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam
 
Upvote 0 Downvote
Thanks steamwiz

I ran the CWShredder and then ran Hijackthis. Hijack this identified several dodgy entries which were instantly indefiable. handheld.com after fixing these the problem has gone away.


Thanks
 
Upvote 0 Downvote
HI guys

I am still suffering from this bloody virus. It is continually hijacking my MDs browser.

I have run CWshredder and it finds that CWS-Mupdate is always infected and fixes that particular area. As soon as you fire up Explorer Boom its back and infected again.

Here is the Hijack This Log

Logfile of HijackThis v1.97.7
Scan saved at 09:35:22, on 09/12/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NTME\METHWNT.EXE
C:\WINNT\System32\NTME\brad32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Program Files\systemhound\shservice.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
W:\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\IRD~1.BDO\LOCALS~1\Temp\msjeki.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Star Launcher.lnk = star\Launcher.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro1\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FB2E657-7D58-47CC-AE60-95688A3A97B7}: NameServer = 195.226.131.251,195.226.128.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4FB2E657-7D58-47CC-AE60-95688A3A97B7}: NameServer = 195.226.131.251,195.226.128.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{4FB2E657-7D58-47CC-AE60-95688A3A97B7}: NameServer = 195.226.131.251,195.226.128.2


Any help gratefully recieved I am seriously thinking about flatterning the machine, it might be easier

Thanks
 
Upvote 0 Downvote
Close all browser windows - run hijackthis and tick to fix :-


O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\IRD~1.BDO\LOCALS~1\Temp\msjeki.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE


Reboot and let us know

steam
 
Upvote 0 Downvote
Don't forget to turn off System Restore (or it's equivalent), or reboot may bring problems right back.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
250
Oorde
Oorde
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
102
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
157
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
GMail Google Docs Phishing Attempt
Replies
5
Views
180
goombawaho
goombawaho
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
157
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top