Umm, reoccuring trojans and a single hijack, and some more.

sarsoman · July 14, 2010

Ok, first time posting here, and im kinda young, but somewhat tech savvy, so please dont go too hard with the instructions.

So, for some reason, before todays flight to texas, Our mini netbook, decided that it would not open internet explorer for more than two seconds, before closing it out. This first started happening when i stayed at a "La Quinta" hotel and tried to access the intenet, for we needed directions to a bowling tournament the next day. It was working fine, untill about 30 or so minutes later, IE7 started to freak out on us, and close out almost instantaneously after opening. We hired a man to fix that, and that he did, and he also installed malwarebytes on the system, ran a scan, and found nothing.

Now, I'm stuck in texas for a month with said netbook. so i decided to try to find entertainment on the internet. guess what? IE7 was doing it again. I booted up in safe mode w/ networking and it worked just fine in there, so as a solution, i downloaded firefox, wich seems to work both ways. i browsed the intenet for a bit, downloaded an old game that i used to play back in 2006 (and it is 100% bug free from what i've seen) and than browsed some more... I must have accidentally clicked on an infected link or somthing because shortly afterwards, CMD and a bunch of other strange things popped up at the same time in the left hand corner. this scared the heck out of me somehow, and i closed them out instantly without bothering to look. i rebooted, spammed f8 and got into safe mode where i found a few Trojans/spyware, a worm, and a hijack while using MWBTS. i deleted them. and rebooted back into normal mode.

Now some strange links pop up whenever i access yahoo mail, and sometimes they open periodically. The viruses seem to multiply now, and its freaking me out. I updated to IE8 and it still closes, and it keeps spawning new trojans + avoiding deletion. and also, as an added bonus of fun and joy, malwarebytes will only boot up RELUCTANTLY in safe mode, and it seems the virus's are ALSO starting to BYPASS safe mode. Please help before it becomes overwhelming.... (Most recent log below, sorry for it only being a quickscan but i wanted the viruses gone NOW instead of an hour later.)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4310

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

7/14/2010 5:00:46 PM

mbam-log-2010-07-14 (17-00-46).txt

Scan type: Quick scan

Objects scanned: 160288

Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dso32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{527e33ef-3eb6-4e03-bad9-417f2366c7a3}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ab20f715-c8e2-46fb-ab1d-af049a76ba87}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ab20f715-c8e2-46fb-ab1d-af049a76ba87}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Mine\Local Settings\Temp\Mhg.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mine\Local Settings\Temp\Mhh.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

C:\WINDOWS\Mzehea.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\dsoqq1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mine\Local Settings\Temp\dsoqq0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\dsoqq.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mine\Local Settings\Temp\dsoqq.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Since i have stayed up all night attempting to fix this problem, im going to try and catch some shuteye, so i apologise if i don't respond immediateley to a fix if anyone posts one.

sarsoman · July 14, 2010

Ok, first time posting here, and im kinda young, but somewhat tech savvy, so please dont go too hard with the instructions.
So, for some reason, before todays flight to texas, Our mini netbook, decided that it would not open internet explorer for more than two seconds, before closing it out. This first started happening when i stayed at a "La Quinta" hotel and tried to access the intenet, for we needed directions to a bowling tournament the next day. It was working fine, untill about 30 or so minutes later, IE7 started to freak out on us, and close out almost instantaneously after opening. We hired a man to fix that, and that he did, and he also installed malwarebytes on the system, ran a scan, and found nothing.
Now, I'm stuck in texas for a month with said netbook. so i decided to try to find entertainment on the internet. guess what? IE7 was doing it again. I booted up in safe mode w/ networking and it worked just fine in there, so as a solution, i downloaded firefox, wich seems to work both ways. i browsed the intenet for a bit, downloaded an old game that i used to play back in 2006 (and it is 100% bug free from what i've seen) and than browsed some more... I must have accidentally clicked on an infected link or somthing because shortly afterwards, CMD and a bunch of other strange things popped up at the same time in the left hand corner. this scared the heck out of me somehow, and i closed them out instantly without bothering to look. i rebooted, spammed f8 and got into safe mode where i found a few Trojans/spyware, a worm, and a hijack while using MWBTS. i deleted them. and rebooted back into normal mode.
Now some strange links pop up whenever i access yahoo mail, and sometimes they open periodically. The viruses seem to multiply now, and its freaking me out. I updated to IE8 and it still closes, and it keeps spawning new trojans + avoiding deletion. and also, as an added bonus of fun and joy, malwarebytes will only boot up RELUCTANTLY in safe mode, and it seems the virus's are ALSO starting to BYPASS safe mode. Please help before it becomes overwhelming.... (Most recent log below, sorry for it only being a quickscan but i wanted the viruses gone NOW instead of an hour later.)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4310
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13
7/14/2010 5:00:46 PM
mbam-log-2010-07-14 (17-00-46).txt
Scan type: Quick scan
Objects scanned: 160288
Time elapsed: 11 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dso32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{527e33ef-3eb6-4e03-bad9-417f2366c7a3}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ab20f715-c8e2-46fb-ab1d-af049a76ba87}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ab20f715-c8e2-46fb-ab1d-af049a76ba87}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Mine\Local Settings\Temp\Mhg.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mine\Local Settings\Temp\Mhh.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\WINDOWS\Mzehea.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\dsoqq1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mine\Local Settings\Temp\dsoqq0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\dsoqq.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mine\Local Settings\Temp\dsoqq.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Since i have stayed up all night attempting to fix this problem, im going to try and catch some shuteye, so i apologize if i don't respond immediateley to a fix if anyone posts one.

Update, running full scan overnight, er,morning.... may still be awake when it is complete and if so i apologize for the upcoming 3rd post... I also belive i found a way to delete the baddies for good, but we'll see.

sarsoman · July 14, 2010

Update, running full scan overnight, er,morning.... may still be awake when it is complete and if so i apologize for the upcoming 3rd post... I also belive i found a way to delete the baddies for good, but we'll see.

Update: well this ain't good, i detected 3 trojans all named trojan.fraudpack and i attempted to save the log and delete the quarentine.... well... the logs didnt save and my computer crashed, about to try rebooting again though, because said crash crippled my web browsers, now i have to use my crappy uncles compy in order to post untill i get this fixed, and it also means no new logs.... PLEASE HELP....

sarsoman · July 14, 2010

Update: well this ain't good, i detected 3 trojans all named trojan.fraudpack and i attempted to save the log and delete the quarentine.... well... the logs didnt save and my computer crashed, about to try rebooting again though, because said crash crippled my web browsers, now i have to use my crappy uncles compy in order to post untill i get this fixed, and it also means no new logs.... PLEASE HELP....

EDIT! the reboot kicked in the internet browsers... it works now.... kinda afraid to test it out of safe mode though....

screen317 · July 24, 2010

Hi and welcome to Malwarebytes.

My apologies for the delay; do you still need help?

-screen317

screen317 · August 1, 2010

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Sign In

Umm, reoccuring trojans and a single hijack, and some more.

Recommended Posts

sarsoman

Link to post

Share on other sites

sarsoman

Link to post

Share on other sites

sarsoman

Link to post

Share on other sites

sarsoman

Link to post

Share on other sites

screen317

Link to post

Share on other sites

screen317

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information