| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 92701 | 2008-08-19 07:38:00 | Browser Hijacked | Blam (54) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 698620 | 2008-08-19 07:38:00 | Hi, just removed Antivirus XP 2008 from friends computer with Malware Bytes Anti-Malware but know I think that the browser is hijacked and there weems to be more viruses running inthe background as sometimes it doesnt go to the intended website, redirects to another website. Also, trojan remover doesn't work, when I try to open it it shows up this (Attached file: untitled0.bmp (1.83 MB)). Very weird. Here is a logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:01:22, on 19/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\vssvc.exe C:\WINDOWS\system32\Fast.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Application Data\gbyjqhqd\qrwrmdcx.exe C:\WINDOWS\system32\taskswitch.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\update\update.exe G:\Almost Everything\Security Utilities\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [rbzzaaae] %systemroot%\rbzzaaae.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKLM\..\Policies\Explorer\Run: [yvtcrvQ1YD] C:\Documents and Settings\All Users\Application Data\gbyjqhqd\qrwrmdcx.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: HKBN 2b.lnk = C:\Program Files\HKBN 2b\asulauncher.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ESC Trusted Zone: http://*.update.microsoft.com O21 - SSODL: actadmapi - {46F765C4-1C48-4401-5686-062365CD7F25} - C:\Program Files\fvyocbg\actadmapi.dll O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - (no file) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 3956 bytes It is short because he doesn't have many programs installed. |
Blam (54) | ||
| 698621 | 2008-08-19 07:47:00 | Uninstall mywebsearch Disable system restore Tick these then tick fix checked Delete this file if its there after C:\Documents and Settings\All Users\Application Data\gbyjqhqd\qrwrmdcx.exe Delete these files after (Kill their process) O4 - HKLM\..\Run: [rbzzaaae] %systemroot%\rbzzaaae.exe O4 - HKLM\..\Policies\Explorer\Run: [yvtcrvQ1YD] C:\Documents and Settings\All Users\Application Data\gbyjqhqd\qrwrmdcx.exe O4 - Startup: HKBN 2b.lnk = C:\Program Files\HKBN 2b\asulauncher.exe O21 - SSODL: actadmapi - {46F765C4-1C48-4401-5686-062365CD7F25} - C:\Program Files\fvyocbg\actadmapi.dll O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - (no file) Reboot, then update trojan remover click on scan, select all options under utilities |
Speedy Gonzales (78) | ||
| 698622 | 2008-08-20 05:46:00 | Sorry fro the late reply couldn't gain acces to it till now, I will reply again tomorrow. Also, after installing TR it shows up a box saying this: STOP! Your license has expired, and then there are options to enter a registration code, buy the software and instructions on how to install it. I have tried reinstalling but same message appears. Has TR been taken over? |
Blam (54) | ||
| 698623 | 2008-08-20 06:43:00 | No if you've had trojan remover for 30 days + it'll expire, its a trial till you pay for it Did you have it installed previously? [edited: advice on how to by-pass expired trial versions of software is not permitted on this forum - Jen (Moderator)] Get malwarebytes and install / update it then click on scan. See what that picks up |
Speedy Gonzales (78) | ||
| 698624 | 2008-08-20 09:34:00 | Already scanned with malware bytes, picked up nothing, also I am sure that the message box that came up from TR was fake, it didn't look like what a company would do, very dodgy. Sorry I can't get you a screenshot, I currently don't have access to it. | Blam (54) | ||
| 698625 | 2008-08-20 09:48:00 | After you ticked the entries in post 2, did you kill those processes then delete those files? Install Avast / NOD32 and scan the hdd |
Speedy Gonzales (78) | ||
| 698626 | 2008-08-20 10:15:00 | After you ticked the entries in post 2, did you kill those processes then delete those files? Install Avast / NOD32 and scan the hdd Yes and Yes, already scanned with avast and it picked up nothing but I will scan again tomorrow |
Blam (54) | ||
| 698627 | 2008-08-20 10:33:00 | Got a Customers PC that's got the Antivirus xp 2008 its putting up a good fight - but I'm winning slowly :D Already run malware bytes, but while that got most of it, it didn't get them all. double click C: drive/ Program files, look for the folders named either qrwrmdcx or rbzzaaae if there delete them. Try looking in the following locations, and delete the entry if there - if not there then move on: c:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk Open regedit, ( Click start/run, type in regedit press enter) if these are there delete the entry. You can do a search for the following in the reg, may be safer - click Edit / Find, type in qrwrmdcx then search for rbzzaaae look in the following locations: NOTE: xxxxxxx could be either qrwrmdcx or rbzzaaae HKEY_LOCAL_MACHINE\SOFTWARE\xxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\xxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion "xxxxxxxx" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform "AntivirXP08" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "SMrhcnkrj0etfg" Note 2: Nod32 found and deleted some of the infections instantly - as good as Avast is for a free AV, it was installed on the PC and missed them. On the PC I'm working on round 1 to me:banana But its still not clean. |
wainuitech (129) | ||
| 698628 | 2008-08-20 11:11:00 | Cheers, glad to know I'm not alone on this battle :) Will do that ASAP |
Blam (54) | ||
| 698629 | 2008-08-20 11:17:00 | Almost forgot - Download the latest Spybot S&D, link in my sig, update it and run, that does a reasonable job as well. When it loads for the first time it may advice there are X number of temp files it can delete - let it delete them, as Ccleaner doesn't get these for some reason, and I have found this is where some of Antivirus 08 is hiding. You need several antimalware programs to clean out a PC, no one program does it all. |
wainuitech (129) | ||
| 1 2 3 4 5 6 7 8 | |||||