Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Many trojans found and redirecting startpage

generic_r dlllhost.exe qonifa.dll gogletab.com geo-dom.exe roaming monrolw

  • Please log in to reply

#1
SamStencil

SamStencil

    Member

  • Member
  • PipPip
  • 42 posts

Hello guys and gals, again! How you doing? :)

We're having some issues with one notebook here and it seems pretty bad.

 

 

Apart of the system being very slow, and weird when starting (you press the start button, it acts as if it was going to freeze or show some error, but slowly starts to run), AVG opens up right when you start the comp and shows already around three different threats.

These follow:

 

C:\Users\username\appdata\Roaming\Geo-Dom.exe

C:\Users\username\appdata\Roaming\autoupdate.exe

C:\Users\username\appdata\Roaming\Qonifa.dll

 

When I open up any of the browsers the pages are not the chosen startpage. When testing Firefox, it showed a link with lots of numbers and letters saying something like 'host not available' and Chrome opens up Gogletab.com as startpage.

This got me a bit nervous about using the browser, that's why I didnt download the required program in the GeeksToGo Malware Guide.

Still, I couln't find any way to change the startpage of any of those.

 

 

When I opened the processes I found dlllhost.exe, vpnui.exe, syshostctl.exe, dwm.exe...

I'm trying to run malwarebites, it has found around 247 threats and still running, but the system is very slow.

 

 

I also just tryed disconnecting it from internet and the warnings of trojan don't show.

 

 

It's a Toshiba Statellite L750/755, runs Windows Vista 7 64-bits

 

Hope anybody can give me some enlightening.

Thanks ahead!


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,010 posts
  • MVP

Attached is FRST64.zip.

 

Attached File  FRST64.zip   1.79MB   34 downloads

 

Download, Save it and then right click and Extract it to your desktop.  Right click on FRST64.exe and run as admin.  

 

Check the box for Addition.txt and then hit Scan.  When it finishes you will have two files.  Copy and Paste each to a separate Reply.


  • 0

#3
SamStencil

SamStencil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts

Hi!

Well thats the thing, I cant do anything on the notebook, it started freezing completely D:

unless I use some USB stick to transfer the file. I'll try again tomorrow and then I'll give you the feedback !


  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,010 posts
  • MVP
You might have better luck in Safe Mode with Networking 
 
 
(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly.  Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking.  Login with your usual login.)

  • 0

#5
SamStencil

SamStencil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts

Hey I'm back!

 

I was able to start the computer in safe mode with networking but even as it said it was connected to our wi fi it wouldnt work, as though it wasn't connected :/
any tips?

Thank you!


Edited by SamStencil, 12 August 2016 - 01:58 PM.

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,010 posts
  • MVP
 
 
In IE,  Gear icon (Tools), Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.
 
In FireFox,  three horizontal lines icon, Options, Advanced, Network, Settings, check No Proxy then OK.  Close Firefox and restart Firefox.
 
In Chrome, three horizontal lines icon, Settings, Show Advanced Settings, Network, Change Proxy Settings, Lan Settings,  uncheck all boxes, OK.  Uses IE's settings
 
 If still no good:
 
Open an elevated command prompt:
Win 7 & Vista:  Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator
 
If you open an elevated command prompt it will by default open in c:\Windows\system32
 
Once you have an elevated command prompt:
Type with an Enter after each line:
 
Ping 8.8.8.8

Should give you:

 


Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=11ms TTL=56
Reply from 8.8.8.8: bytes=32 time=11ms TTL=56
Reply from 8.8.8.8: bytes=32 time=10ms TTL=56
Reply from 8.8.8.8: bytes=32 time=10ms TTL=56
 
Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 11ms, Average = 10ms
 

 

 

 
nslookup geekstogo.com

Is this what you get for addresses?

 
Server:  cdns01.comcast.net
Address:  75.75.75.75
 
Non-authoritative answer:
Name:    geekstogo.com
Addresses:  104.28.28.94
          104.28.29.94
 

 

 

Tracert -d 8.8.8.8

Do you get trace complete?  What is the last IP address?


Tracing route to 8.8.8.8 over a maximum of 30 hops
 
  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     9 ms     8 ms     8 ms  96.120.12.37
  3     8 ms     8 ms     8 ms  68.85.221.41
  4    10 ms    10 ms     9 ms  68.86.103.5
  5    13 ms    21 ms    10 ms  68.86.92.121
  6    12 ms    11 ms    11 ms  68.86.86.77
  7    12 ms    11 ms    11 ms  68.86.83.10
  8    10 ms    11 ms    10 ms  75.149.228.174
  9    11 ms    11 ms    11 ms  209.85.241.131
 10    12 ms    12 ms    12 ms  209.85.241.175
 11    11 ms    10 ms    10 ms  8.8.8.8
 
Trace complete.

 

 

 

Next two reset the network:

netsh  winsock  reset catalog
netsh  int ip reset reset.log

 (I think this is just for XP use the next line for newer Windows)

 

 
netsh int ipv4 reset %userprofile%\Desktop\reset4.log 

Reboot.

 

If all else fails, use a USB to move FRST64 to the sick PC.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP