Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010


  • This topic is locked This topic is locked
6 replies to this topic

#1 kelticwizard

kelticwizard

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 03 February 2010 - 02:56 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:52 PM, on 2/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
O4 - HKLM\..\Run: [gftdrraj] C:\Documents and Settings\Joe Schultz\Local Settings\Application Data\vxnjtn\titosysguard.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [seledadij] Rundll32.exe "c:\windows\system32\visoziyo.dll",a
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /runonce
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gftdrraj] C:\Documents and Settings\Joe Schultz\Local Settings\Application Data\vxnjtn\titosysguard.exe
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internet-security10.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.is-soft-download.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1264056433296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1264376506062
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: dahogemu.dll c:\windows\system32\visoziyo.dll
O20 - Winlogon Notify: cabcbaceefd - C:\WINDOWS\
O20 - Winlogon Notify: ccdecdffbcfdfc - C:\WINDOWS\
O21 - SSODL: mcuYdywMbN - {B87F3DEC-12D5-9746-EB24-A398A5D5A1C8} - C:\WINDOWS\system32\ajj.dll (file missing)
O21 - SSODL: pewalimub - {40735e3e-dbe3-40bb-91ce-6dba53ccd04d} - c:\windows\system32\mafaguzu.dll (file missing)
O21 - SSODL: tagehewet - {8d6df516-74fe-4e8f-b31b-7353f6f0e208} - c:\windows\system32\pofokago.dll (file missing)
O21 - SSODL: lomajepol - {cd3218c4-cd91-429d-bc3a-2b122203a026} - c:\windows\system32\najebofi.dll (file missing)
O21 - SSODL: tuhuhatum - {80234a45-8658-497a-9942-bdac1ef2cbbe} - c:\windows\system32\visoziyo.dll
O22 - SharedTaskScheduler: mujuzedij - {40735e3e-dbe3-40bb-91ce-6dba53ccd04d} - c:\windows\system32\mafaguzu.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {8d6df516-74fe-4e8f-b31b-7353f6f0e208} - c:\windows\system32\pofokago.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {cd3218c4-cd91-429d-bc3a-2b122203a026} - c:\windows\system32\najebofi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {80234a45-8658-497a-9942-bdac1ef2cbbe} - c:\windows\system32\visoziyo.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Galaxy\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7211 bytes


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 AM

Posted 04 February 2010 - 09:13 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kelticwizard

kelticwizard
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 07 February 2010 - 04:27 PM

This was not easy to do, since the virus/malware eliminate mbam.exe as soon as I unpacked it. I wnt to the library to try to download and unpack Malwarebytes, in hopes of then putting the files on a CD, but the system wouldn't allow it. I went over to a friend's house and did that, and downloaded Windows Defender, (recommended by the computer guy at the library).

Once home, I managed to take the CD and transfer mbam.exe into the folder the other mabam files were and actually download updates, (which updates were already installed I thought at my friend's house). In order to download the updates I ran rkill.

mbam finally worked, and killed over 30 files. I then ran Windows Defender, had to manually download the updates because it wouldn't do so automatically, and it found some more files and killed them.

Upon restarting, I still had to run rkill to prevent my wireless connection from being shut down, (one of the things the malware did). Plus, I still get a bubble warning me I had to download security software, the same message the malware ran. But most other things seem to have returned to normal. Then later today, the wireless connection came on normally after the machine is rebooted, which it did not do yesterday after rebooting several times.

So most things seem to be normal except for that warning bubble which pops up from a red shield in the tray in the lower right corner, (Windows XP 3). I wonder, is there still some malware active on the computer?

Two more questions. After going updating Malwarebytes and Windows Defender this morning, just to make sure, I got a message for an update. The message comes from a yellow shield in the right hand corner-the shield seems to have an exclamation mark on it. Is this from a good place or a bad place, like the malware-could you take a look at it?


Message came from the yellow shield in the lower left corner:


And here is the box which pops up when you right click that yellow shield:



Thank you very much for the help you have already given.

Edited by kelticwizard, 07 February 2010 - 05:42 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 AM

Posted 07 February 2010 - 05:59 PM

Hi,

The warning bubble should be the genuine one now, so please allow the updates.
Also, the other warning sign should be the genuine one as well, telling you that you don't have an Antivirus installed which is the case here. So allow the Windows updates and install an Antivirus afterwards.
Let me know in your next reply how things are now.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kelticwizard

kelticwizard
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 08 February 2010 - 03:55 PM

I'm not sure if the wireless connection needs rkill to function, or if it comes on itself after a minute or two. First I tried waiting for what seemed like a long time and it didn't come on until I hit rkill. Then later in the day when I turned the machine on, I had to wait a minute or so and it turned on by itself.

As far as the updates go, the box does not appear when I turn on the machine, even though I didn't allow the updates. I didn't know which program the update box was from, soI checked Windows Update, which said automatic updates are on and there were no more high priority updates I needed to download. I checked Windows Defender, and it also said the latest updates were installed on the computer. So maybe they installed themselves when I turned on the computer today, I don't know. I don't think Malwarebytes gives automatic updates in the free version, so I don't think that box was from Mbam.

I bought Norton 360 a week ago but did not install it because I thought all the malware might mess up the installation. It appears the malware is either all or mostly gone, so I plan to install the Norton today. Thank you very much for your time and expertise, thumbup2.gif and I'll let you know how the installation and initial scan went.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 AM

Posted 08 February 2010 - 04:02 PM

Hi,

Your wireless connection will turn on by itself automatically - just give it some time after reboot.
For the "Update box", that was from Windows updates.


Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 AM

Posted 16 February 2010 - 09:05 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users