by The_JZA / September 16, 2010 10:43 PM PDT

Hi, I'm trying to fix my laptop, it's a Toshiba laptop running Windows XP.

Symptoms:

-I keep getting popups that tell me I need a sketchy brand antivirus software (complete with misspellings in the ad)
-my browser has been hijacked and keeps pointing to the same sketchy brand antivirus webpage
-I cannot open any programs, I keep getting "________ program has been infected" popup messages.

Does anyone know what I could do? I'm familiar with going into the registry and editing it, but I don't know what I'm looking for in this case or if I should even bother.

Thanks for any help!

8 total posts
Collapse -
Re: Browser/program hijacked
by Carol~ Moderator / September 17, 2010 12:46 AM PDT

JZA..

Without knowing the exact name of the "sketchy brand software antivirus", it would be difficult to offer a specific removal method catered to your infection. That said, there are certain things which are " a given". Most importantly, it's necessary to "kill" the malicious process. Rkill (by Grinler) should do that for you. The instructions for Rkill are in the (randomly picked) removal guide below.

Read this removal guide. Scroll down to "Automated Removal Instructions using Malwarebytes' Anti-Malware" and follow EACH and EVERY step. It may be overkill (no pun intended) but it should "do the job".

As noted in #2, if the infection you have does not allow you to download the tools, you're going to have to download the files on another computer and transfer them to yours.

It's imperative Malwarebytes' Anti-Malware (MBAM) be updated prior to its use.

In order for MBAM to complete the infection process, you will need to reboot. Reboot back into "Safe Mode with Networking" and run another scan. Once you receive a clean report, you can boot into Normal Mode and run one more scan.

As also noted, check your LAN settings, to verify they haven't been changed to use a proxy server.

You stated you were unable to open any programs. If it remains to be the case at this point, and you're unable to run MBAM, please read this post where it explains how to rename the files.

If you have any problems along the way, please don't hesitate to post back and ask.

Best of luck..
Carol

Collapse -
Will try
by The_JZA / September 17, 2010 12:53 AM PDT

Thanks, I'll try that stuff. I'm currently at work right now so I couldn't recall the exact error message and what the web ad said, but I'll repost after I've tried some of that stuff and give all that info.

Collapse -
(NT) Good Enough. Take Your Time!
by Carol~ Moderator / September 17, 2010 1:02 AM PDT

In reply to: Will try
In reply to: Will try
Collapse -
MBAM log
by The_JZA / September 18, 2010 6:28 AM PDT

I ran a complete scan using the MBAM that was already on the infected laptop, and I was going to go ahead with the instructions provided in your post. They should work with the trojans listed in the log below, right?

________________________________________________________________________
Malwarebytes' Anti-Malware 1.41
Database version: 3259
Windows 5.1.2600 Service Pack 3

9/18/2010 4:18:40 PM
mbam-log-2010-09-18 (16-18-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175431
Time elapsed: 39 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Collapse -
MBAM
by Bugbatter / September 18, 2010 9:51 PM PDT
In reply to: MBAM log

Your version of MBAM is obsolete. As Carol mentioned it needs to be updated. If possible, try to download and update MBAM version 1.46. See if a new scan picks up anything.

Collapse -
MBAM updated
by The_JZA / September 19, 2010 10:28 PM PDT

In reply to: MBAM
In reply to: MBAM

I did download a new version of MBAM and also AVG anti-virus, and after a couple of complete scans it seems like everything is working fine now. I'll post if anything changes, but thanks for everyone's help.

Collapse -
Good News! Thanks For Letting Us Know.
by Carol~ Moderator / September 20, 2010 8:59 AM PDT
In reply to: MBAM updated

JZA..

My apologies for not getting back to you sooner. The engineer's have been doing some work, which has caused some of the posts not to show. Yours being one of them. Sad I didn't want you to think it's been sitting here ignored all day. It just this minute became visible!

I presume you scanned with Malwarebytes' Anti-Malware v 1.46 with Database Version (close to) 4660. If the updated version reported the same, the only problem with your prior log was:

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert)

I also presume it's now "deleted and gone". I'm glad to hear "all is well"! My apologies again, for the late reply.

Carol

