asked on

fraud.XPAntivirus

Spybot pick up the fraud.XPAntivirus malware and deleted but it keeps coming back. I have been trying to get rid of it for the longest.

Can someone help? Attach is my Hijackthis log
hijackthis.log

rpggamergirl

Fix these entries in Hijackthis:
O2 - BHO: (no name) - {6B04EDE4-E7F2-4BF7-907A-8300F9327DD7} - C:\WINDOWS\system32\CONSOL.dll
O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hs78344kjkfd.dll
O4 - HKCU\..\Run: [tk6uh0omas3ssopym946m2mizzf2p5bvcnno5n6w6821] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\vo9ghtxh7.exe
O4 - HKCU\..\Run: [l5wb9n0ot7yxs3oo2m] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\dn8cj73b.exe
O4 - HKCU\..\Run: [z3oe0v4gjqnkg2ugzvtvhv51jxa9] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\qqw8pwu.exe
O4 - HKCU\..\Run: [m5ikbuow02czpk9zhjt3yotsnv3potfhr6oof482utl06] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\iqvm0l1hid.exe
O4 - HKCU\..\Run: [u2qomh3qpmtx4monpdah5w2sjyyqeppxv1ybsupd9r] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\zr5tp3.exe
O4 - HKCU\..\Run: [j8mknyo4k8u9xxtjbjrpyo734l8wqidx4uphpf64nuxm9w2] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\mk225d4yj.exe
O4 - HKCU\..\Run: [yusvzwqobr3kpak66kdcoctssl9722wszgkt3yn0ng54mz] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\m2vjhll7f.exe
O4 - HKCU\..\Run: [f9eaijxdib] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\oekn23at6va.exe
O4 - HKCU\..\Run: [g42wcz3vbq269akstz5uygqhut5eto16bqtnh5uy6i0b] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\v885vhzrm7.exe
O4 - HKCU\..\Run: [z1ymr9bvsjlxtx15poud1i2r59filgfccildspzslf8uu0n] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\a5a6986x.exe
O4 - HKCU\..\Run: [rszdpmgy7bed87rr] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\hr7jd9.exe
O4 - HKCU\..\Run: [vp6m9tyqvcpu31gg5pfwqnyjzgxd5s69z0eg7karw5ew5] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\zx9nzuel4z.exe
O4 - HKCU\..\Run: [nyual6iicaxgzx6hcqeujbjuq4j5dmgc41ybm4gdb5f] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\mrlq0ewk5ao.exe
O4 - HKCU\..\Run: [ivjnpn9jazhgc5eihvrl4t2ce36hzk2] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\go26y0rxqb9iw.exe
O4 - HKCU\..\Run: [qg8ysz4l36reda0pbvjmke] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\xf4cw53r8bu.exe
O4 - HKCU\..\Run: [dfbfuv3sbdb6kin6cqrj5iydh6rynl9ugrv] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\ce4s0i.exe
O4 - HKCU\..\Run: [ih37cprpplz274arzzltbt3mr7] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\apzw2lk.exe
O4 - HKCU\..\Run: [cq9jfnpp9b81awvirlynrux] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\dobtf1pnb.exe
O4 - HKCU\..\Run: [spas6ckun93r81vh7tfb6o9anim6j1x6yy4z0jet5ep] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\l9bnxpvtfc.exe
O4 - HKCU\..\Run: [g5k0zyee8o1va] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\wbb63zcwn3b.exe
O4 - HKCU\..\Run: [cmpu3wbdvttezls6b4e11n0v2a7390vj2k1hga95t] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\o7iq243n6xn.exe
O4 - HKCU\..\Run: [k2h34uolifjw70tdjl5947bkuqv8qn] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\pynoalny7ri0.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: CNMnt5 - CNMnt5.dll (file missing)
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hs78344kjkfd.dll

And run these 2 tools and show us the logs.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php

If you can't access the above link then use this link and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

2. Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

David-Howard

Before you run your scans disable System Restore.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
Then boot into Safe Mode (F8 at startup).
Log on with your usual name/password and run the suites suggested by rpggamergirl.
Once the scans are completed, reboot and test.

Dooflegna

You'll notice a majority of the bad entries listed in your Hijack This folder are coming out of your temporary files. Before you run rpggamergirl's scans, download and run CCleaner to empty out all of your temporary files.

http://www.ccleaner.com/download

jorbroni

ASKER

I fix the entries in the list above in hijackthis, but one of them will not go away

O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hs78344kjkfd.dll

ASKER CERTIFIED SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

rpggamergirl

I assume the problem is resolved?

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
Thanks.