Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1433
  • Last Modified:

fraud.XPAntivirus


Spybot pick up the fraud.XPAntivirus malware and deleted but it keeps coming back. I have been trying to get rid of it for the longest.

Can someone help? Attach is my Hijackthis log  
hijackthis.log
0
jorbroni
Asked:
jorbroni
1 Solution
 
rpggamergirlCommented:
Fix these entries in Hijackthis:
O2 - BHO: (no name) - {6B04EDE4-E7F2-4BF7-907A-8300F9327DD7} - C:\WINDOWS\system32\CONSOL.dll
O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hs78344kjkfd.dll
O4 - HKCU\..\Run: [tk6uh0omas3ssopym946m2mizzf2p5bvcnno5n6w6821] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\vo9ghtxh7.exe  
O4 - HKCU\..\Run: [l5wb9n0ot7yxs3oo2m] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\dn8cj73b.exe  
O4 - HKCU\..\Run: [z3oe0v4gjqnkg2ugzvtvhv51jxa9] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\qqw8pwu.exe  
O4 - HKCU\..\Run: [m5ikbuow02czpk9zhjt3yotsnv3potfhr6oof482utl06] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\iqvm0l1hid.exe  
O4 - HKCU\..\Run: [u2qomh3qpmtx4monpdah5w2sjyyqeppxv1ybsupd9r] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\zr5tp3.exe  
O4 - HKCU\..\Run: [j8mknyo4k8u9xxtjbjrpyo734l8wqidx4uphpf64nuxm9w2] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\mk225d4yj.exe
O4 - HKCU\..\Run: [yusvzwqobr3kpak66kdcoctssl9722wszgkt3yn0ng54mz] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\m2vjhll7f.exe  
O4 - HKCU\..\Run: [f9eaijxdib] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\oekn23at6va.exe  
O4 - HKCU\..\Run: [g42wcz3vbq269akstz5uygqhut5eto16bqtnh5uy6i0b] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\v885vhzrm7.exe  
O4 - HKCU\..\Run: [z1ymr9bvsjlxtx15poud1i2r59filgfccildspzslf8uu0n] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\a5a6986x.exe  
O4 - HKCU\..\Run: [rszdpmgy7bed87rr] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\hr7jd9.exe  
O4 - HKCU\..\Run: [vp6m9tyqvcpu31gg5pfwqnyjzgxd5s69z0eg7karw5ew5] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\zx9nzuel4z.exe  
O4 - HKCU\..\Run: [nyual6iicaxgzx6hcqeujbjuq4j5dmgc41ybm4gdb5f] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\mrlq0ewk5ao.exe  
O4 - HKCU\..\Run: [ivjnpn9jazhgc5eihvrl4t2ce36hzk2] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\go26y0rxqb9iw.exe  
O4 - HKCU\..\Run: [qg8ysz4l36reda0pbvjmke] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\xf4cw53r8bu.exe  
O4 - HKCU\..\Run: [dfbfuv3sbdb6kin6cqrj5iydh6rynl9ugrv] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\ce4s0i.exe  
O4 - HKCU\..\Run: [ih37cprpplz274arzzltbt3mr7] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\apzw2lk.exe  
O4 - HKCU\..\Run: [cq9jfnpp9b81awvirlynrux] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\dobtf1pnb.exe
O4 - HKCU\..\Run: [spas6ckun93r81vh7tfb6o9anim6j1x6yy4z0jet5ep] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\l9bnxpvtfc.exe  
O4 - HKCU\..\Run: [g5k0zyee8o1va] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\wbb63zcwn3b.exe  
O4 - HKCU\..\Run: [cmpu3wbdvttezls6b4e11n0v2a7390vj2k1hga95t] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\o7iq243n6xn.exe  
O4 - HKCU\..\Run: [k2h34uolifjw70tdjl5947bkuqv8qn] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\pynoalny7ri0.exe  
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: CNMnt5 - CNMnt5.dll (file missing)  
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll  
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hs78344kjkfd.dll

And run these 2 tools and show us the logs.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php

If you can't access the above link then use this link and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button



2.  Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 
David-HowardCommented:
Before you run your scans disable System Restore.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
Then boot into Safe Mode (F8 at startup).
Log on with your usual name/password and run the suites suggested by rpggamergirl.
Once the scans are completed, reboot and test.
0
 
DooflegnaCommented:
You'll notice a majority of the bad entries listed in your Hijack This folder are coming out of your temporary files.  Before you run rpggamergirl's scans, download and run CCleaner to empty out all of your temporary files.

http://www.ccleaner.com/download
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
jorbroniAuthor Commented:
I fix the entries in the list above in hijackthis, but one of them will not go away

O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hs78344kjkfd.dll
0
 
rpggamergirlCommented:
Hijackthis does not remove infections, it only removes registry entries, that's why you need to run tools to get rid of the files and other hooks belonging to the infection that aren't showing in the log.
It's possible that there are other files related that BHO that refuses to be removed.
Run Combofix and show us the log.
0
 
rpggamergirlCommented:
I assume the problem is resolved?


To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
Thanks.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now