Fake Anti-Virus Software

[corpsey]

Managed to get my computer infected with another one after clicking on a link to some set or other

Does anyone have a link to a free to download program that will get rid of this thing?

Don't think it's deleting anything or damaging my computer but apparently ID thieves use them and I fear my money will suddenly dissappear.

[LEQ]

Try - http://free.grisoft.com/

[pk-]

best(cheapest) option is probably to get AVG, Spybot search & destroy, and HijackThis

run hijackthis and post the log it produces in this thread

[corpsey]

Cheers

I'm so stupid not running anti virus stuff all the time, loads of those file sharing websites are crawling with trojan bastard fucking bastard horses

[corpsey]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:12:32, on 25/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MapEDC\MapEDC.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\tbu2D\AOL_security_toolbar.dll
O2 - BHO: (no name) - {536C1DB2-CDCB-40E1-AB74-729A2CF872DB} - C:\WINDOWS\System32\vtsqo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: 0 - {7D8DB997-526E-4791-9C80-0A612D2693FE} - C:\Program Files\DVD Decrypter\qucam877.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {9a75fc04-b856-0898-bab4-7f53656eb6bb} - {bb6be656-35f7-4bab-8980-658b40cf57a9} - C:\WINDOWS\System32\rhewumtp.dll
O2 - BHO: (no name) - {CED3F066-682F-4F77-8851-FB568F73EEA0} - C:\Program Files\ComPlus Applications\fojyl89104.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\tbu2D\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [{60-0E-E3-33-DW}] C:\WINDOWS\System32\bxo4\dameco3305.exe DWram
O4 - HKLM\..\Run: [48a60e9c] rundll32.exe "C:\WINDOWS\System32\avtirjpw.dll",b
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [MapEDC] C:\Program Files\MapEDC\MapEDC.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\bxo4\dameco3305.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O20 - Winlogon Notify: pmnnnkh - pmnnnkh.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6522 bytes

[corpsey]

ps I hope pk isn't going to use the above to steal all my moneysss

[ajantis_art]

i'm guna download that AVG shit, mine run out a few weeks ago and i aint paying for nothing

[thomas]

Corpsey, get firefox. Its the best way to avoid viruses at the moment.

All i run is AVG, but hijak is good aswell. just hard to know what to do with that infomation.

[corpsey]

Innit, it's times like this I realise that although I spend half my life on computers I have no idea how they work

[pk-]

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe

that's a trojan. just having a look on google now about how to remove it.

[corpsey]

^ cheers for taking the time man ^

[LEQ]

Have a look - http://forums.techguy.org/malware-remov ... lease.html

Some tips on how to remove it, might be helpful.

[pk-]

it'll be worth signing up at www.bleepingcomputer.com/forums/ and then starting a thread in this bit with your hijackthis log. they'll talk you through exactly what to do and will be much more thorough than the anecdotal remedies on google. they might also pick up other stuff from that log that needs fixing.

they normally respond to people within a day or so. i wouldn't pay for anything online with a credit card in the meantime lol

[corpsey]

okay thanks man

what a nightmare

[pk-]

the problem is a lot of the sites that googling "mrofinu572.exe" bring up are offering 'fix tools' and 'free antivirus' and all that, and are just peddling more malware. you're definitely better off getting advice from people who know their shit

doesn't look like you've got anything else on there but that might be way off the mark, best get it looked at by one of that bleepingcomputer lot

[LEQ]

Yeah true ^, I used the Tech Guy one before for a similar problem and they fixed it in a day for me. Nice one for that link though pk for the future.

[ed g]

Yeah both AVG antivirus and anti-spyware are worth getting.

I'd also recommend Lavasoft Ad-Aware

[misk]

O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

oooooOOOOOOOO!! someone's breaking the law!

[le_hardcore_chiefus]

i`ve got avg...dont know if its workin properly like...how would i know if i had a trojan virus etc

[dubloke]

I havent ever had antivirus software and I'm always fucking shit scared to download stuff, but I do it anyway