Jump to content

firefox bookmarks hijacked after virus


seocom
 Share

Recommended Posts

Hi all,

I posted here with a virus problem a couple of weeks ago ( http://www.malwarebytes.org/forums/index.p...c=25185&hl= ), but unfortunately did not get any response. While I know that you guys are busy and that you volunteer your time, which is certainly appreciated, I hope that someone can help me out with finishing clearing things up.

I did find a solution to the virus on another forum by reading of someone with similar conditions on their computer. Turned out to be " Trojan Horse Generic 14 ". Infected file was " eventlog.dll " in system32 folder. After deleting this file, I was able to run Malwarebytes and it detected and cleaned four Trojan Horse Generic 14 files with various four letter dot extensions.

I can now run (couldn't before during infection) Malwarebytes and the scan now comes up clean. I still have problems with firefox (3.5.3) with bookmarks. Older bookmarks from before the virus are fine. Most of any saved after virus sometimes work OK, other times they go to other sites than where they are supposed to go. Also bookmarks don't get saved sometimes, but they then appear saved afterwards, but they appear and disappear at will.

As I said, Malwarebytes log comes up clean. Here is a copy of hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:07:12 AM, on 9/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Spybot - S & D\TeaTimer.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Prevx\prevx.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Common Files\aol\1249833265\ee\aolsoftware.exe

C:\Program Files\AOL 9.1\waol.exe

C:\Program Files\AOL 9.1\shellmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seocom.com/stan/ddopen.html

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iNPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [searchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - S & D\TeaTimer.exe

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

O23 - Service: Google Update Service (gupdate1ca1a92eb89107a) (gupdate1ca1a92eb89107a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

--

End of file - 5509 bytes

Thanking you in advance for your assistance,

Stan...

Link to post
Share on other sites

Hi,

I did find a solution to the virus on another forum by reading of someone with similar conditions on their computer. Turned out to be " Trojan Horse Generic 14 ". Infected file was " eventlog.dll " in system32 folder.

You shouldn't try fixes given to other users. Even if symptoms may look similar they hardly ever are identical. Each malware removal process is a unique one.

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Link to post
Share on other sites

Hi,

You shouldn't try fixes given to other users. Even if symptoms may look similar they hardly ever are identical. Each malware removal process is a unique one.

Dear Blade81,

Thank you very much for responding to my request for help.

I know that this is a board that is run by volunteers and they are very busy. I certainly appreciate this fact and commend them for their dedication and hard work.

That being said.

1/ I know that I shouldn't try the fixes given to others.

2/ It has been almost a month since I posted my original request for assistance.

3/ Nowhere during that time did I receive any acknowledgment that anyone from this board had read my post and had me on their waiting list, nor any indication that I would ever get any type of assistance. This was even after I waited several days and PM'd a moderator as directed in the suggestions section.

4/ I am reading constantly of others that were in the same boat that I was in, meanwhile reading other postings getting answers repeatedly.

Is there any wonder that I, and others resort to trying other fixes to resolve our problems?

I repeat, I know that you guys are volunteers and are overworked, and again, I commend you all for your efforts and hard work. BUT, as a bit of constructive criticism here, why not put a process in place so that people receive a short response that they have been heard and are being queued for assistance. Please don't just leave people hanging here. You have a great organization in place here and as such, you have created the responsibility for yourselves to also respect the needs of the people that have come to you in the first place.

As stated previously, I did resort to someone others fix to resolve my original problem and luckily it worked. I eventually had to go to another forum on another board to help clear up the residual issues left behind by the original infection, but fortunately they were able to help me out. Incidentally, I received a response on the other board almost instantaneously.

So again, thank you and keep up the good work, BUT please take my suggestions under advisement for the good of this board and all who come here for assistance.

All the best,

Stan...

Link to post
Share on other sites

As stated previously, I did resort to someone others fix to resolve my original problem and luckily it worked. I eventually had to go to another forum on another board to help clear up the residual issues left behind by the original infection, but fortunately they were able to help me out.

Hi,

It would had been good if you had let us know that you were helped on other forum so we could had closed this case.

Incidentally, I received a response on the other board almost instantaneously.

It's easier to get quick response if forum doesn't get much logs. As you can see by timestamps of topics here, we get lots of cases to handle each day.

as a bit of constructive criticism here, why not put a process in place so that people receive a short response that they have been heard and are being queued for assistance.

I don't think that would be right since people might get a false impression that they'll get a reply soon after that "short response". It usually takes more than just a couple of days to get a reply. After all, we try to get a reply to as many case as possible.

Link to post
Share on other sites

Hi,

It would had been good if you had let us know that you were helped on other forum so we could had closed this case.

It's easier to get quick response if forum doesn't get much logs. As you can see by timestamps of topics here, we get lots of cases to handle each day.

I don't think that would be right since people might get a false impression that they'll get a reply soon after that "short response". It usually takes more than just a couple of days to get a reply. After all, we try to get a reply to as many case as possible.

Hi,

I was in the middle of being helped at the other board when you responded.

I agree, you do get a lot of requests.

I still kind of disagree with you on the last point. People coming here are usually in a desperate state of mind. Any kind of response is certainly better than no response at all and would give them the reassurance that they at least have been heard and will get some help eventually. Right now I see the responses to requests being made in a fairly random manner, and that was one of my primary concerns when I was waiting for any initial response. Even yesterday when I posted my prior posting, another person got a response from one of the experts within 5 hours of his original post, where others from days before are still out there waiting. It is not a perfect system that you guys have here and it does contribute to a lot of frustration on the users end.

Again, I am not trying to criticize here as you guys are doing something great here for the public, BUT I am just giving you a point of view from a user that has gone through your process. For my part, it's the randomness that the cases are dealt with that causes the most concern, and gives some users the impression of "Hey, why am I being ignored here, when everyone else around me is getting help???"

In the meantime, thanks again for all that you guys do and if you wish to close this case, please go ahead and do so...I just hope that my thoughts here can somehow contribute to this effort in some small way...Stan... :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.