I have completed the 8 steps, now what?

Status
Not open for further replies.

XxSnip3xX

Posts: 13   +0
Ok, my computer is acting weird. But it only does this when I have Firefox opened, and when I do, every once and a while I see a window maximize above mine, but then it immediately goes away. And sometimes my computer will open up 654356354 Firefox windows all having these weird sites...and they're always the same ?5?. Also, I have been noticing my computer opening up the website sagipsul, which I googled and it led me here. Which is why I'm now registered. Any way to fix this? I have attached my logs below.

Malwarebytes and SUPERantispyware is still running...I'll upload those when they finish. :)
 
If you have left MBAM without loading the log go back in and i think there is a logs tab were you can view them in the actual MBAM program. Also go to were its installed and have a look there

C:/Program Files/Malwarebytes and then it will be called log something or other. Around that location anyhow.

I will take a look at your log tomorrow unless someone helps you sooner :)
Happy new year
 
Here is the MBAM log...I re-booted like MBAM and SAS said to. Happy new year to you too! Also, when I re-booted, my firewall was off, but it turned back on by itself, and then automatic updates was off, and I manually re-enabled that.
 
O2 - BHO: {b76c0542-a909-a8bb-aa64-4c876a3b31a2} - {2a13b3a6-78c4-46aa-bb8a-909a2450c67b} - C:\WINDOWS\system32\vcmroh.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s
O4 - HKLM\..\Run: [CPMffddc3ac] Rundll32.exe "c:\windows\system32\yuhisona.dll",a
O4 - HKUS\S-1-5-19\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'NETWORK SERVICE')

these are the bad guys here so trash these. afterwards browse to these file locations and delete these files. If you cannot delete try booting in safe mode and deleting them. They are piggy-backing off the legitimate rundll32.exe process that is used quite frequently in windows. I've seen situations where these keys will jump back into the registry after they are deleted. let us know how it goes
 
Right Click on MyComputer icon and go to properties
Turn Off system restore
open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
do a disk cleanup in your Start/accessories/system tools/ Menu

After the reboot
download malwarebytes and install
run hijackthis and malwarebytes at the same time
select any files and or keys posted in hijackthis
but on both maiwarebytes and hijackthis click fix at the same time.
then reboot immediatly.
if you forget to turn off system restore it will return no matter

reboot once complete, run hijack this and post your log here again


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {b76c0542-a909-a8bb-aa64-4c876a3b31a2} - {2a13b3a6-78c4-46aa-bb8a-909a2450c67b} - C:\WINDOWS\system32\vcmroh.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O
O4 - HKLM\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s
O4 - HKLM\..\Run: [CPMffddc3ac] Rundll32.exe "c:\windows\system32\yuhisona.dll",a
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKUS\S-1-5-19\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fisodepasu] Rundll32.exe "C:\WINDOWS\system32\mezutilo.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: avgrsstx.dll vcmroh.dll C:\WINDOWS\system32\nifudoju.dll c:\windows\system32\yuhisona.dll

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 1: (no name) - http://mail.google.com/mail/?tab=wm&shva=1#inbox
 
DOn't delete this one

O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe

He's one of the good guys. This is part of his modem software
 
Ok how do I delete these files? I navigated to the file location and it wasn't there? Am I missing something? Do I do it inside one of the programs or what? Please help.
 
Little more detail next time please guys :p

Go into Hijackthis and click scan

Then go to the keys highlighted above. place a tick in the box next to those items ONLY.

Then only after double checking them ti make sure you haven't checked a similar item pres fix selected.

Then start your PC and pres scan with logfile and post the log again t double check you got it right.
 
DID good

these trojan's mostly come in on a GOOGLE redirect to a different server.
While the install is Google code it lists a provider in the registry like this
KEY
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\internet explorer\searchurl\
• provider = gogl or googl

I am not sure why your 2 are still listed but I would remove google and re-install directly from them to ensure you do not have such a provider in your registry.
GOOGL is hard to explain and detialed so I ask trust me
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

WOLF
 
Status
Not open for further replies.
Back