Jump to content


Photo

"Updatenow.org" and porn windows


  • This topic is locked This topic is locked
4 replies to this topic

#1 mayra23

mayra23

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 July 2004 - 10:18 AM

I have two problems:
1)When I make a connection my IE opens automatically this: http://amateur.gayho...an/Card-p1.html

2)Many times a window (obviouslly a non-microsoft window) opens and asks me to enter "www.updatenow.org" because some of my softwares are affected.

I followed the steps of the FAQ from this forum and some other programs like Bazooka, Spywareblaster and Cwshredder, but none of them worked for me.

In HijackThis I fixed some weird lines and deleted the *.exe files showed on them, but the last line (O17 - HKLM\System\CCS\Services\Tcpip\..\{C588ACEA-49A9-4BAB-91A1-3AD310486CE7}: NameServer = 200.175.5.133 200.175.89.139) comes back again every time I fix it.

The last log shows a new *.exe file: xqtlowg.exe and the problem continues...

I have a windows XP Professional, installed a week ago after a complete rebbot on the system due to some virus attack.

Thanks, if someone can help :thumbsup: ... this is the HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 12:06:08, on 13/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MSlti16.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe
C:\WINDOWS\System32\Mcafeescn.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\laars.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\xqtlowg.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [Yahoo! Acesso Gratis] "C:\Arquivos de programas\Yahoo! Acesso Gratis\autoupdate.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C588ACEA-49A9-4BAB-91A1-3AD310486CE7}: NameServer = 200.175.5.133 200.175.89.139

#2 mayra23

mayra23

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 July 2004 - 10:59 AM

...ah, and my browser only answers when I click many times... :weep:

#3 mayra23

mayra23

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 July 2004 - 12:29 PM

Please, someone help me... :deal:

#4 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 13 July 2004 - 04:40 PM

Hi there!

Could you go back into HijackThis and restore all of the items you removed? The problem with removing "weird" items is that they may be legit or they may give clues as to what infected your computer.

After restoring the items, post a new log.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 28 October 2004 - 02:12 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button