TechSpot

I have completed the 8 steps, now what?

By XxSnip3xX
Dec 31, 2008
  1. Ok, my computer is acting weird. But it only does this when I have Firefox opened, and when I do, every once and a while I see a window maximize above mine, but then it immediately goes away. And sometimes my computer will open up 654356354 Firefox windows all having these weird sites...and they're always the same ?5?. Also, I have been noticing my computer opening up the website sagipsul, which I googled and it led me here. Which is why I'm now registered. Any way to fix this? I have attached my logs below.

    Malwarebytes and SUPERantispyware is still running...I'll upload those when they finish. :)
     
  2. XxSnip3xX

    XxSnip3xX TS Rookie Topic Starter

    Here is my SAS....I accidentally closed out the MBAM....how do I get it back?
     
  3. rev_olie

    rev_olie TS Maniac Posts: 560

    If you have left MBAM without loading the log go back in and i think there is a logs tab were you can view them in the actual MBAM program. Also go to were its installed and have a look there

    C:/Program Files/Malwarebytes and then it will be called log something or other. Around that location anyhow.

    I will take a look at your log tomorrow unless someone helps you sooner :)
    Happy new year
     
  4. XxSnip3xX

    XxSnip3xX TS Rookie Topic Starter

    Here is the MBAM log...I re-booted like MBAM and SAS said to. Happy new year to you too! Also, when I re-booted, my firewall was off, but it turned back on by itself, and then automatic updates was off, and I manually re-enabled that.
     
  5. brucethetech

    brucethetech TS Enthusiast Posts: 229

    O2 - BHO: {b76c0542-a909-a8bb-aa64-4c876a3b31a2} - {2a13b3a6-78c4-46aa-bb8a-909a2450c67b} - C:\WINDOWS\system32\vcmroh.dll
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKLM\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s
    O4 - HKLM\..\Run: [CPMffddc3ac] Rundll32.exe "c:\windows\system32\yuhisona.dll",a
    O4 - HKUS\S-1-5-19\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'NETWORK SERVICE')

    these are the bad guys here so trash these. afterwards browse to these file locations and delete these files. If you cannot delete try booting in safe mode and deleting them. They are piggy-backing off the legitimate rundll32.exe process that is used quite frequently in windows. I've seen situations where these keys will jump back into the registry after they are deleted. let us know how it goes
     
  6. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    Right Click on MyComputer icon and go to properties
    Turn Off system restore
    open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
    do a disk cleanup in your Start/accessories/system tools/ Menu

    After the reboot
    download malwarebytes and install
    run hijackthis and malwarebytes at the same time
    select any files and or keys posted in hijackthis
    but on both maiwarebytes and hijackthis click fix at the same time.
    then reboot immediatly.
    if you forget to turn off system restore it will return no matter

    reboot once complete, run hijack this and post your log here again


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: {b76c0542-a909-a8bb-aa64-4c876a3b31a2} - {2a13b3a6-78c4-46aa-bb8a-909a2450c67b} - C:\WINDOWS\system32\vcmroh.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

    O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
    O
    O4 - HKLM\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s
    O4 - HKLM\..\Run: [CPMffddc3ac] Rundll32.exe "c:\windows\system32\yuhisona.dll",a
    O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
    O4 - HKUS\S-1-5-19\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'NETWORK SERVICE')

    O20 - AppInit_DLLs: avgrsstx.dll vcmroh.dll C:\WINDOWS\system32\nifudoju.dll c:\windows\system32\yuhisona.dll

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O24 - Desktop Component 1: (no name) - http://mail.google.com/mail/?tab=wm&shva=1#inbox
     
  7. brucethetech

    brucethetech TS Enthusiast Posts: 229

    DOn't delete this one

    O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe

    He's one of the good guys. This is part of his modem software
     
  8. XxSnip3xX

    XxSnip3xX TS Rookie Topic Starter

    Ok how do I delete these files? I navigated to the file location and it wasn't there? Am I missing something? Do I do it inside one of the programs or what? Please help.
     
  9. rev_olie

    rev_olie TS Maniac Posts: 560

    Little more detail next time please guys :p

    Go into Hijackthis and click scan

    Then go to the keys highlighted above. place a tick in the box next to those items ONLY.

    Then only after double checking them ti make sure you haven't checked a similar item pres fix selected.

    Then start your PC and pres scan with logfile and post the log again t double check you got it right.
     
  10. XxSnip3xX

    XxSnip3xX TS Rookie Topic Starter

    Ok, here is the log after I deleted everything.
     
  11. XxSnip3xX

    XxSnip3xX TS Rookie Topic Starter

    Ooops! I forgot to upload it in the post above! Lol sorry here it is.
     
  12. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    DID good

    these trojan's mostly come in on a GOOGLE redirect to a different server.
    While the install is Google code it lists a provider in the registry like this
    KEY
    hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\internet explorer\searchurl\
    • provider = gogl or googl

    I am not sure why your 2 are still listed but I would remove google and re-install directly from them to ensure you do not have such a provider in your registry.
    GOOGL is hard to explain and detialed so I ask trust me
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    WOLF
     
  13. XxSnip3xX

    XxSnip3xX TS Rookie Topic Starter

    Thanks a lot! You guys were a load of help!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...