Jump to content

Recommended Posts

My daugther's laptop had the fake "Windows Security Center" popping up. She would close it out and continue working until it got so bad the PC became unuseable.

I downloaded the Anti Malware program on another PC, transferred it over and ran it. An message popped up saying the database was 144 days outdated, so I updated, but it wouldn't updated. I ran the quick scan and it found 19 issues, but this didn't get rid of the Security Center virus. I ran the full scan, and nothing else was found.

I then downloaded the update on the other PC and transferred that over (mbam-rules). Now the database was only 8 dayss outdated. I reran the quick scan and much more was found. The Security Center appears to be gone, but I can no longer connect using Internet Explorer or Firefox (either wireless or with LAN cable).

- I have rebooted router and PC many times (all other PC connected to this router are OK)

- I tried disableing the firewall(s)

- I tried removing Winsock & Winsock2 (advice found elsewhere)

- Reinstalled IE 8

- checked "Automatically detect settings" under LAN Setting

Here is the third scan log that removed the virus. Any advice would be appreciated! :)

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6516

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/14/2011 12:26:56 AM

mbam-log-2011-05-14 (00-26-56).txt

Scan type: Quick scan

Objects scanned: 181193

Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 7

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\ehuhaxovabuyud.dll (Trojan.Hiloti) -> Delete on reboot.

c:\WINDOWS\msetru.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (PUP.BrowserModifyer) -> Not selected for removal.

HKEY_CLASSES_ROOT\AdvBHO.AdvBHO.1 (PUP.BrowserModifyer) -> Not selected for removal.

HKEY_CLASSES_ROOT\AdvBHO.AdvBHO (PUP.BrowserModifyer) -> Not selected for removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (PUP.BrowserModifyer) -> Not selected for removal.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (PUP.BrowserModifyer) -> Not selected for removal.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (PUP.BrowserModifyer) -> Not selected for removal.

HKEY_CURRENT_USER\SOFTWARE\qnpn7rjv93lf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Htisamoqix (Trojan.Hiloti) -> Value: Htisamoqix -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jloradunujanecat (Trojan.Hiloti) -> Value: Jloradunujanecat -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usiftwvd (Trojan.FakeAlert.Gen) -> Value: usiftwvd -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Kaylee\Local Settings\Application Data\ryc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Kaylee\Local Settings\Application Data\ryc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Kaylee\Local Settings\Application Data\ryc.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\ehuhaxovabuyud.dll (Trojan.Hiloti) -> Delete on reboot.

c:\WINDOWS\msetru.dll (Trojan.Hiloti) -> Delete on reboot.

c:\documents and settings\Kaylee\AdvBHO.dll (PUP.BrowserModifyer) -> Not selected for removal.

c:\documents and settings\all users\application data\amkhihlhyea.dll (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\fhcghekiwqp.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\pqclsoelaqb.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\tajymhxtvegigv.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\uvioqwufxlstvg.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Ally\local settings\Temp\1453E8.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Ally\local settings\Temp\tmp57.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\George\local settings\Temp\temporary directory 1 for wirelesskeyview.zip\wirelesskeyview.exe (PUP.WirelessKeyView) -> Not selected for removal.

c:\documents and settings\Kaylee\local settings\Temp\tmp213.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\documents and settings\Kaylee\local settings\application data\ryc.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Kaylee\local settings\Temp\msmonitor (Adware.DeepDive.MS) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Try these and see if it fixes tthe issues

Proxy

Open Internet Explorer. Click on tools, then Internet Options. Then click on the Connect tab.

Then press the Lan Settings button and uncheck the Use a proxy server checkbox. Then press OK until you are out of the options screen.

=========================================================

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /flushdns

IPCONFIG /renew

IPCONFIG /registerdns

============================================================================

check some settings on your system:

  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Right click on Properties

[*]Double-Click on the Internet Protocol (TCP/IP) item

[*]Select the radio dial that says Obtain DNS Servers Automatically

[*]Press OK twice to get out of the properties screen

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /renew

Type Exit

Restart the computer.

b]ipconfig /flushdns (The space between g and / is needed)

regsvr32 netshell.dll

regsvr32 netcfgx.dll

regsvr32 netman.dll

Exit

Restart the computer.

_________________________________

Start, Programs\Accessories and right-click on Command Prompt, select "Run as Administrator" to open a command prompt.

In the command prompt window that opens, type type the following commands:

netsh winsock reset catalog (hit enter)

netsh int ipv4 reset reset.log (hit enter)

netsh int ipv6 reset reset.log (hit enter)

restart

Link to post
Share on other sites

For that user:

Vista users:

1. These tools MUST be run from the executable. (.exe)

2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them

1) exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.