Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Still have google hijack after "security tools" cleanup

  • Please log in to reply
1 reply to this topic

#1 mindwave_21


  • Members
  • 2 posts
  • Local time:01:10 AM

Posted 13 January 2010 - 03:06 PM

Hello, this is my first post here.

I recently was surfing the web watching online movies, and I clicked on a link I thought was supposed to be a movie player. Turns out it was a disaster waiting to happen. Avast went nutso saying it found a bunch of Warnings (beep.sys and other legitimate files). Then security tools installed itself onto my computer, which is about the time I started to get concerned.

This is what I had on before the attack:
1. Avast antivirus
2. Firefox Adblock plus, web of trust

After the attack (round 1):
1. MBAM scan

/*********************************** Start MBAM log*****************************************/
Malwarebytes' Anti-Malware 1.44
Database version: 3511
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/7/2010 4:36:36 PM
mbam-log-2010-01-07 (16-36-36).txt

Scan type: Quick Scan
Objects scanned: 127774
Time elapsed: 12 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\rotmv2.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\35298633 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon (Malware.Packer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: rotmv2.dll -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\35298633 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\rotmv2.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\35298633\35298633.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_ex-08.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~TM26D.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~TM270.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\stroml\Start Menu\Programs\Startup\siszyd32.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\stroml\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\stroml\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
/*********************************** End MBAM log*****************************************/
2. Spybot turned up some tracking cookies
3. Restart with avast boot time scan (no viruses)

After the restart, security tools was gone, but I had the following symptoms:
* firefox.exe was missing from my system
* startup took longer than usual, and the windows intro .wav was delayed (usually plays the audio then loads the system, now it seems to do the opposite)
* system was generally unstable, with programs (eg spybot updater) crashing on the first run, but working when reopened.

So I reinstalled firefox and ran these additional programs:
1. Spybot (reinstalled on the computer)
2. ATF temp file cleaner
3. SuperAntiSpyware scan turned up a Rogue.Agent/Gen
4. Lavasoft AdAware was clean
5. MBAM updated and run again (clean)
6. HijackThis (didn't see anything interesting, but I could be untrained)
7. EasyCleaner (cleaned unnecessary or broken registry keys)
And a restart to safe mode:
8. SAS again (clean)
9. MBAM again (tracking cookies)
10. Spybot again (clean)

I figured that all of this was sufficient to clean my system, but I started to notice that when I was in Firefox and searched google (in the Firefox toolbar OR in Google's search input), I would occasionally be redirected to the following sites: QuestBooster, 7Search, theyoursafety, and so on. Luckily the web of trust firefox plugin stops the site from loading completely so it doesn't get too many redirects. This happens I would say every 15th or 20th time I click on a search result, so not super often, but I am concerned about malware or backdoor trojans still on my computer.

The strange thing is that I was running avast and firefox ad blocking tools, but this infected my computer like nothing was working.

Please advise. Thanks.

Edited by mindwave_21, 13 January 2010 - 03:16 PM.

BC AdBot (Login to Remove)


#2 mindwave_21

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:10 AM

Posted 15 January 2010 - 01:36 PM


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users