Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by "Security Antivirus" and possibly hijacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 dandytime2

dandytime2

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 14 March 2010 - 05:57 PM

I'm chasing an infection and possible hijacking.
I have already run Malwarebytes, SpyBot and recently HiJack this. HiJack this led me to a log file that I want advice on which files need deleting.

Symptoms leading to this (chronologically) were:
1. My wife called me saying the computer was "squeeling like a pig", I had her shut it down until I got home.
2. I noticed that Symantec Antivirus was disabled and the imitation "Security Antivirus" w/ symantec looking shield and all were in my system tray
3. I ran CCCleaner to look at the startup files and disable any that might be in there upon reboot that were not supposed to be
4. I disabled the system restore and re-booted in safe mode. Ran a full symantec detection but it found nothing.
5. I did a MBAM scan and it found a few things (this was a week or so ago) and I thought deleting it there would cure everything
6. Rebooted and saw that the Symantec gave an error that "...the application has requested Runtime to terminate in an unusual way.."
7. Sometimes going into Google it gave an error message that my computer may be sending automated queries and had me enter a code to proceed.
8. I then disconnected the ethernet and went to uninstall Symantec and Liveupdate to try and reinstall....that gave me an interference or problem with reinstalling the Live update.
9. I ran Spybot and had about 6 areas that it found needing attention and files in the \Includes area and I let Spybot fix all except it couldn't deal with the Microsoft.Windows.redirectedhosts. there are items under redirected hosts that (I believe) need to be deleted.
10. That led me searching online and seeing that HiJack this should be able to help. I installed and ran it and now have a list of items under "Trend Micro HijackThis" that is to be fixed; however, I am not knowledgeable of all these lines. Here is my log file, if someone could please tell me which ones might be corrupt or malicious?
(I am running Windows XP Pro w/ SP3) I do NOT have Limewire or such, but my wife loves Facebook (I'm convinced it came from there!).

# The following were commented/deleted on 13Mar10 from HiJackThis search
85.13.206.114 uuu20091124.info
85.13.206.114 u07012010u.com
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
88.198.198.206 www.google.com
88.198.198.206 google.com
88.198.198.206 google.com.au
88.198.198.206 www.google.com.au
88.198.198.206 google.be
88.198.198.206 www.google.be
88.198.198.206 google.com.br
88.198.198.206 www.google.com.br
88.198.198.206 google.ca
88.198.198.206 www.google.ca
88.198.198.206 google.ch
88.198.198.206 www.google.ch
88.198.198.206 google.de
88.198.198.206 www.google.de
88.198.198.206 google.dk
88.198.198.206 www.google.dk
88.198.198.206 google.fr
88.198.198.206 www.google.fr
88.198.198.206 google.ie
88.198.198.206 www.google.ie
88.198.198.206 google.it
88.198.198.206 www.google.it
88.198.198.206 google.co.jp
88.198.198.206 www.google.co.jp
88.198.198.206 google.nl
88.198.198.206 www.google.nl
88.198.198.206 google.no
88.198.198.206 www.google.no
88.198.198.206 google.co.nz
88.198.198.206 www.google.co.nz
88.198.198.206 google.pl
88.198.198.206 www.google.pl
88.198.198.206 google.se
88.198.198.206 www.google.se
88.198.198.206 google.co.uk
88.198.198.206 www.google.co.uk
88.198.198.206 google.co.za
88.198.198.206 www.google.co.za
88.198.198.206 www.google-analytics.com
88.198.198.206 www.bing.com
88.198.198.206 search.yahoo.com
88.198.198.206 www.search.yahoo.com
88.198.198.206 uk.search.yahoo.com
88.198.198.206 ca.search.yahoo.com
88.198.198.206 de.search.yahoo.com
88.198.198.206 fr.search.yahoo.com
88.198.198.206 au.search.yahoo.com


THANK YOU VERY MUCH

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:35 PM

Posted 14 March 2010 - 08:25 PM

Hello we need a DDS log and posted in another forum. You can include that log it your new topic.

We need a deeper look,please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9.
If Gmer crashes,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:35 PM

Posted 15 March 2010 - 04:28 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/302627/security-antivirus-issues-hijacked-computer/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users