Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I am infected with Tagasaurus and others... [Solved]


  • This topic is locked This topic is locked

#16
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I updated Java, (it took a while, and it wouldn't install at first) then I downloaded and ran Kaspersky...except there was nothing in the log, because it didn't find any infected files. I am now trying to download service pack 3 for IE, but...it freezes just beyond halfway through, but...I'm going to keep trying. I'll update you when I am successful. Also, tagasaurus problem is still there, but...I am determined to conquer it...with your help. :] Talk to you soon!
  • 0

Advertisements


#17
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
OK. I have IE7 installed, as well as the new service pack.

I am surfing around, and so far no sign of tagasoreass... I changed the name, because...you seemed to have kicked its [bleep]... :)

However...right when I started surfing, (after intalling IE7 and the new service pack) I think I saw the tagasaurus pop-up appear for a split second...but it didn't cause any pages to disappear or anything. In fact, at times when I've dealt with pop-up windows, one or many windows would vanish...and what is happening now is that instead of 3 windows vanishing (for example) they remain active, but I am taken 3 windows back... (if that makes sense)

So basically, this seems very promising, and...at this point, (after you prompt me) I imagine that I should do another hijackthis log?

In the meantime, I want to thank you again for being so RAD. :]

You truly rock, and...I'll talk to you laterrr. :]
  • 0

#18
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I spoke too soon... Tagasaurus is back. In the meantime, (before you instruct me further) I will re-download Avast, and...look for more info about Tagasaurus on Google, etc. Geez...where is this bugger located on my computer...? It seemed gone, but then...it slipped though somehow, or..something.
  • 0

#19
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Glad to hear Kaspersky came back clean. We'll get this one, don't worry :).

That pop-up is not an especially big deal - it's just Spybot blocking an ad. I'd be interested to know what site you're visiting when you experience that error.

The first thing I would try to get rid of that popup is this:

Click on the "Tools" menu in IE and select "Spybot – Search Destroy Configuration". In the "Spybot S&D - Configuration" window that appears click on the "Settings" tab. Under "When encountering bad things" you can select among:
  • Block all pages silently
  • Display dialog when blocking
  • Ask for blocking confirmation
Select "Block all pages silently". This should cause spybot to block the page without any annoying dialogue box.

Give that a shot and let me know whether it worked in your next reply, also if you have the site you're at when you get the popup that would be helpful.

Cheers,
Dave
  • 0

#20
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Alright, I am blocking pages silently, and as I've been surfing since I woke up, (about 40 mins) there is no sign of tagasaurus... :]

Also, after I installed IE7, (and the service pack) I went ahead and re-downloaded Avast. Then I ran Avast oupon boot-up, and it found 'Win32:Tidserv' trojan, and I moved it to the chest. Should I have deleted it?

Also, when I log in, Spybot asks me whether or not I want to allow or deny certain changes, and...for the ones that don't have info about them, it's guesswork...ya know? Hopefully I haven't compromised something in regards to that. (although, I don't think I have)

So...I will report back after I've been surfing for a bit.

Talk to you later!
  • 0

#21
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Well, that was quick. I just got a pop-up saying that 'IE has encountered a problem' etc...and removal of said pop-up caused a page to vanish. I wasn't doing anything special, besides trying to look up why AVG won't update for me. I will update you in a little while.
  • 0

#22
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
AVG 7 is a very old antivirus program, Grisoft doesn't maintain it anymore so that's why you can't update it. You have two antivirus programs installed on your PC - Avast and AVG. The problem with this is that the programs can conflict with each other and hog system resources, generally making a mess of things. You should pick one of the two to keep and remove the other.

For my recommendation about which to keep, Avast is near the top of the line in antivirus programs, the newer AVG 8 doesn't quite match up in terms of detection rates and such. If I were you I'd uninstall AVG and keep Avast. It's your decision though.

About the internet errors - I'd be interested to know if you get them using any other browser. You mentioned wanting to give Firefox a tryearlier, it's my favorite browser for several reasons, security, speed, and far far greater functionality are just a few, definitely worth the short period of adjustment to start using it. Download Firefox and install it, and surf around a bit just doing what you normally do. Let me know of anything out of the ordinary you see.

Cheers,
Dave
  • 0

#23
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Update: I haven't been home, hence my non-timely update today. So...I uninstalled AVG as per your advice, in conjunction with looking up comparisons, etc. I am running Avast now, and Windows Defender, and Spybot... Although I am considering Comodo. I have yet to download Firefox, but I will tell you when I do. (well, after I do, and then play with it)

Avast occasionally finds Mundo and a few other things...but I don't see damage from them. Tagasaurus seems dormant for now or something...but I must say that with your help, I have gone a long way so far. Thank you thank youuu. :] I will talk to you later. xo
  • 0

#24
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Comodo is an excellent firewall program, one of my favorites. If you do decide to install it, don't forget to disable the default windows firewall so there aren't any conflicts:
  • Start -> Control Panel. Click on Classic View.
  • Double click Windows Firewall
  • Click Change Settings
  • Choose Off to disable Windows Firewall.
Glad to hear there aren't any more tagasaurus popups, I'll await your update :).
  • 0

#25
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I have yet to download Comodo, but I will soon.

I have a question that I thought you could help me with about Monder...

I have a Monder problem. It shows up randomly by Avast, and when I do boot scans with avast, it finds it.

So, I was mining for help on Google, and I came across this site: http://www.techpings...2mondergen.html

Someone suggested this site to remove Monder: http://www.f-secure....oval_tools.html with this being the thing to download, I think:

F-Vmonde
F-Vmonde tool detects and deactivates Virtumonde from Windows XP/2003 systems. Virtumonde is adware that serves pop-up advertisements. It uses special techniques to avoid removal, which are circumvented with this tool.
Download: http://www.f-secure....ls/f-vmonde.zip
Download: http://www.f-secure....ls/f-vmonde.exe
Readme: http://www.f-secure....ls/f-vmonde.txt

My question is whether or not that site is legit...however, if is is straying too far off the topic at hand, please tell me. All of this virus/trojan stuff is vexing me greatly, and...I'm frustrated.

I wish that I knew more about computers so that I wouldn't potentially waste your time whilst helping me... :[

Thanks always, and I'll talk to you later.
  • 0

Advertisements


#26
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
http://w32-monder-tr...e.qarchive.org/
http://www.brotherso...am.-190481.html

Those are links to download 'cleanmonder.exe' and I'm wondering if I should download it... Do you have any advice?
  • 0

#27
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi Katie -

Cleanmonder.exe is not a tool I've heard of... the more reputable tools for cleaning Virrtumonde are VundoFix and ComboFix, so I would stay away from that one. However, I don't think any of these will be needed here :)

After a clean Kaspersky scan I'd be highly surprised to find that you still have an active Virtumonde infection. My guess would be that the files Avast is finding have already been quarantined by our tools or are in the system restore cache (harmless in both cases). The reason the detections would be happening over and over again is that if it's finding files in system restore, it can't delete them because they're protected by the operating system. To be sure of this, would you run a full scan with Avast and post the log for me? I'm not sure about the specific working of Avast having never used it myself so if you aren't able to get the log itself, if you could write down the file paths of the virtumonde detections and post those that would be fine.

Cheers,
- Dave
  • 0

#28
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi, I will run Avast when I get home later. (in the mid-afternoon hour) and as it's running, it asks me to 'move to chest', 'delete', etc, and I will write down what it finds, because I don't see where it leaves a log. I hope that you have a good day, and...I'll talk to you later!

Edited by Katie_Harlow87, 11 January 2009 - 12:18 PM.

  • 0

#29
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
***edit*** For about a day now, I've been experiencing something very odd. When I am typing, the cursor freezes for a couple of seconds at a time... Why would it do that? Is it related to Mondo or something?
***end of edit***

I just ran a Kaspersky scan, (and I disabled Avast and Spybot before the scan begun) and this is what it found...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 17:36:27
Records in database: 1603648
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 53864
Threat name: 5
Infected objects: 9
Suspicious objects: 2
Duration of the scan: 01:20:32


File name / Threat name / Threats count
C:\WINDOWS\system32\xxyxUklJ.dll/C:\WINDOWS\system32\xxyxUklJ.dll Infected: Trojan.Win32.Monder.alth 4
C:\Documents and Settings\Andrew\Local Settings\Temp\rmxanceosw.tmp Suspicious: PECompact 1
C:\Documents and Settings\Andrew\Local Settings\Temp\seneka8215.tmp Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\6EBOLIHV\divx[1] Infected: Trojan.Win32.Monder.alth 1
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\KQZTP2IL\klite_ath_cx[1] Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\WINDOWS\system32\cbXRjGVl.dll Infected: Trojan.Win32.Monderb.adqt 1
C:\WINDOWS\system32\prunnet.exe Suspicious: PECompact 1
C:\WINDOWS\system32\xxyxUklJ.dll Infected: Trojan.Win32.Monder.alth 1

The selected area was scanned.

Edited by Katie_Harlow87, 11 January 2009 - 08:13 PM.

  • 0

#30
Katie_Harlow87

Katie_Harlow87

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
And then I ran Malwarebytes, and here is the log:

Malwarebytes' Anti-Malware 1.32
Database version: 1636
Windows 5.1.2600 Service Pack 3

1/12/2009 2:24:57 AM
mbam-log-2009-01-12 (02-24-57).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 107506
Time elapsed: 27 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xmamntnq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyxUklJ.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12a56145-af5e-450d-bd00-9ef8aed62324} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{12a56145-af5e-450d-bd00-9ef8aed62324} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxoijds (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12a56145-af5e-450d-bd00-9ef8aed62324} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyxuklj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyxuklj -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xxyxUklJ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\JlkUxyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JlkUxyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXOiJDs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gdbdftpe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eptfdbdg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmamntnq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qntnmamx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\rmxanceosw.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\seneka8215.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\ICI9JGZS\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\ICI9JGZS\upd105320[2] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP