1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

teen-biz pop-ups & redirects

Discussion in 'Virus & Other Malware Removal' started by beau909, Jan 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. beau909

    beau909 Thread Starter

    Joined:
    May 16, 2003
    Messages:
    11
    i am posting on behalf of a friend who, unfortunately, due to being to occupied with family concerns, is unable to log on and post for herself. therefore, i am trying to find out whatever i can for her. her problem (or at least the most bothersome thereof) is being constantly & frequently bombarded by pop-ups & redirects apparently associated with http://teen-biz.com

    she has already downloaded, installed and regularly updated and run spybot, adaware as well as hijack this. unfortunately she is still being tormented by having her children be subjected to the extremely profane visual & text attacks that teen-biz seems to feel compelled to launch at every opportunity. as you can see from the following hijack log, teen-biz was found:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:43:52 AM, on 1/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Sony\Net MD Simple Burner\NetMDSB.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\IncrediMail\bin\IncMail.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Limore\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://teen-biz.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://teen-biz.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
    O4 - Global Startup: winlogon.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdq/downloads/msxml4.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F478E6-6066-4263-8113-E676826B9E8B}: NameServer = 212.150.48.169 206.49.94.234

    she has deleted all references to http://teen-biz.com, but still teen-biz attacks have not abated. does anybody here see anything that might be resposible for the continued assaults? also, i was wondering if the webshots screensaver download program could possibly be causing, or at least opening the way for teen-biz or other such malicious intruders? another question, that has been on my mind is: could it be possible that by using incredimail rather than outlook express or some sort of webmail (i noticed many incredimail references to incredimail download/install functions), she is making or leaving herself more vulnerable to these types of attacks? i have seen that you guys here almost always seem to be able to get to the root of the matter and to get the job done when it comes to resolving persistent problems like this, so i thought maybe you would know something about it. also, from the hijack log i have submitted, do there seem to be any indications of the presence of cws, peper, or any other trojans that you know of? i thank you very much for your time and assistance

    beau909
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Click on the link below and it will download CWShredder. Close all browser windows, click on the cwshredder.exe and let it do it's thing.

    http://www.spywareinfo.com/~merijn/junk/CWShredder.exe

    When it is finished restart your computer.

    I strongly recommend you install the folowing patches for the vulnerabilities that this hijacker exploits:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

    http://www.microsoft.com/technet/tr...in/ms03-011.asp

    And the media player security update:
    http://support.microsoft.com/defaul...kb;en-us;828026

    Post a 2nd logfile after.

    ;)
     
  3. beau909

    beau909 Thread Starter

    Joined:
    May 16, 2003
    Messages:
    11
    $teve, from your reply to my detailed post, am i to infer that you did find evidence of the presence of the cws trojan or other malicious entities? could you please provide a little more specific info as to what you saw and what, in your opinion, it meant? thanks much.
    beau909
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Certainly............the teen-biz entries are from the Coolwebsearch hijacking....also this:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe

    And this......
    O4 - Global Startup: winlogon.exe
    All part of the same parasitic family....
    In Xp CWShredder should take them all out
    but to make sure we need to confirm it with another logfile.
    ;)
     
  5. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hi guys, I've split this posting into its own thread. In the future, please start your own thread rather than tagging onto the end of another one, especially one marked Solved or Resolved ;)
     
  6. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Thanx sweety,was going to pm you but thought it would be resolved pretty quick and was also keeping an eye on it.
    ;)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - teen redirects
  1. Hayden62jones
    Replies:
    2
    Views:
    682
  2. dachmc
    Replies:
    10
    Views:
    832
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/193984

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice