Jump to content
Sign in to follow this  
Keith_L

need help fixing hjjacked browser.

Recommended Posts

My father's computer is in some pretty bad trouble. I can not get to any pc help web sites like PC Pitstop.

If I type in pcpitstop.com or majorgeek.com the browser get's redirected to virusremover2008.com (which is malware).

 

On boot an "Antivirus XP 2008" start some kind of scan but this program is also malware.

 

I also have an IE toolbar that run's PCPrivacyCleaner (which is malware).

 

It has this cool screen saver that is a blue screen of death and it rolls to like a windows XP boot screen but it is only a screen saver.

 

I am sure it has more problems but I can not get to any PC Pitstop to do a scan of my computer to tell.

 

I am attaching my HJT log file let me know what you think I should do, hijackthis.txt

 

Thanks

Share this post


Link to post
Share on other sites

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.

 

Hi and welcome

Lots of infections here

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%43%3a%5c%44%6f%63%75%6d%65%6e%74%73%20%61%6e%64%20%53%65%74%74%69%6e%67%73%5c%4f%77%6e%65%72%5c%4d%79%20%44%6f%63%75%6d%65%6e%74%73%5c%55%6e%7a%69%70%70%65%64%5c%32%30%30%34%31%31%32%30%31%37%34%34%35%31%36%30%39%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: QXK Olive - {02AA6842-B193-4D26-85F0-DDA31FF3EA66} - C:\WINNT\wnlmdakqxmd.dll

O2 - BHO: (no name) - {5DDE5591-A8AB-4897-93EF-1E4E943F85A7} - (no file)

O3 - Toolbar: Protection Bar - {CC18AE76-7E65-4258-A193-9EA0C52DA6B8} - (no file)

O3 - Toolbar: bgrqfetx - {D76144AF-DF87-4614-9630-91BE83E98924} - C:\WINNT\bgrqfetx.dll

O4 - HKLM\..\Run: [{3BCF8450-D134-427E-AE9C-2A42CE8215CC}] "C:\WINNT\sysragfchqsa.exe"

O4 - HKLM\..\Run: [{09E23F2C-ED1E-43FC-9AA1-1332162A35AE}] "C:\WINNT\sysuxvmschra.exe"

O4 - HKLM\..\Run: [{0389E53C-62CF-4CD6-9F4E-955A740E4385}] "C:\WINNT\syscdupretna.exe"

O4 - HKLM\..\Run: [sMrhcpmej0ee3e] C:\Program Files\rhcpmej0ee3e\rhcpmej0ee3e.exe

O4 - HKLM\..\Run: [lphctmej0ee3e] C:\WINNT\system32\lphctmej0ee3e.exe

 

If you didn't set this security policy, please let HJT fix this

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

C:\WINNT\wnlmdakqxmd.dll

C:\WINNT\bgrqfetx.dll

C:\WINNT\sysragfchqsa.exe

C:\WINNT\sysuxvmschra.exe

C:\WINNT\syscdupretna.exe

C:\Program Files\rhcpmej0ee3e\rhcpmej0ee3e.exe

C:\Program Files\rhcpmej0ee3e <==and this folder

C:\WINNT\system32\lphctmej0ee3e.exe

 

If any of the above files/folders resist deletion please drop into safe mode and try again.

You can do this by restarting your computer and tapping the F8 key before Windows starts

You are presented with a Windows XP Advanced Options menu

Use your up arrow key to highlight SafeMode then hit enter.

http://www.bleepingcomputer.com/tutorials/tutorial61.html

How to start Windows in Safe Mode

 

 

NEXT**

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02AA6842-B193-4D26-85F0-DDA31FF3EA66}

 

[-HKEY_CLASSES_ROOT\CLSID\{02AA6842-B193-4D26-85F0-DDA31FF3EA66}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D76144AF-DF87-4614-9630-91BE83E98924}"=-

 

[-HKEY_CLASSES_ROOT\CLSID\{D76144AF-DF87-4614-9630-91BE83E98924}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"{3BCF8450-D134-427E-AE9C-2A42CE8215CC}"=-

"{09E23F2C-ED1E-43FC-9AA1-1332162A35AE}"=-

"{0389E53C-62CF-4CD6-9F4E-955A740E4385}"=-

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SMrhcpmej0ee3e"=-

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lphctmej0ee3e"=-

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

Now please reboot the machine.

 

 

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click:Delete Files

When prompted, check:Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

 

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

Tutorial if needed

http://thespykiller.co.uk/index.php/topic,5946.0.html

 

In your next reply, please post:

Malwarebytes' Anti-Malware log

New HijackThis log taken after the above scan has run

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

Also please give me an update on computer behavior at the moment.

Share this post


Link to post
Share on other sites

Due to lack of response this topic will be closed, if you still need help start a new topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...