New hijacking trojan on the loose?

New hijacking trojan on the loose?: Posted by clayjar on May 2nd, 2008; I couldn't find much information on English sites on ojtgixe.exe and
qwbgoxx.exe that were running in the background (Windows XP Pro SP2).
Some of the symptoms included quick closing of browsers, including
System Properties window. I assume these two were running to capture
keystrokes for passwords and such for identity theft. *** IMPORTANT
*** You should change all of your passwords once you completely remove
these trojans.

Here is a procedure I created to remove these:

1. run cmd
2. create this batch file (you can use notepad, but I prefer "copy con
rmv.bat" (in this case, finish the file with Ctrl-Z):
@echo off
:gorep
taskkill /F /FI "IMAGENAME eq ojt*"
taskkill /F /FI "IMAGENAME eq qwb*"
goto gorep
3. then run the batch file by typing "rmv" or whatever else name you
used for your batch file.
4. it will run in a loop, and it should say that these files are no
longer found, press Ctrl-C to break out of the loop.
5. type: cd \program files\common files\microsoft shared
6. type: attrib -s -h bpfwcfj.inf
7. type: attrib -s -h qwbgoxx.exe
8. type: del bpfwcfj.inf
9. type: del qwbgoxx.exe
5. type: cd \program files\common files\system
6. type: attrib -s -h bpfwcfj.inf
7. type: attrib -s -h ojtgixe.exe
8. type: del bpfwcfj.inf
9. type: del ojtgixe.exe
10. exit to close cmd window.
11. bring up RegEdit, by running regedit.
12. go to the top of the tree, and find and remove all of the entries
with "bpfwcfj", "ojtgixe," or "qwbgoxx" I think I found about 50
instances.

You're now clean. It was rather simple to remove. If you try to
remove one of those two processes, you'll notice that it comes right
back up. There are two programs to make sure each other is running, so
unless you have quick fingers faster than code execution, you won't be
able to remove using Task Manager--thus the need to create that small
batch file. You may be able to enter safe mode and do this, but I'm
not sure how deeply rooted the processes are. Seeing from the
registry, it attaches itself to Explore shell, so it may or may not
work.

Hope this helps somebody.

Similar Posts

Brave Sentry & Trojan/Fake Trojan (Virus & Worms) by fred davies
Re: A new hijacking - includes an example of hijacking (just read) (Microsoft Windows) by 420microsofttime
Re: A new hijacking - includes an example of hijacking (just read) (Help and Support) by 420microsofttime
Hijacking (Computers & Technology) by Bob Brister
Trojan horse defence (again) and an FBI agent lecture that dealswith Trojan horses (Virus & Worms) by Gadi Evron

Internet Office and Resources