Posted on 2009-02-21
Last Modified: 2013-12-06

Spybot pick up the fraud.XPAntivirus malware and deleted but it keeps coming back. I have been trying to get rid of it for the longest.

Can someone help? Attach is my Hijackthis log  
Question by:jorbroni
    LVL 47

    Expert Comment

    Fix these entries in Hijackthis:
    O2 - BHO: (no name) - {6B04EDE4-E7F2-4BF7-907A-8300F9327DD7} - C:\WINDOWS\system32\CONSOL.dll
    O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hs78344kjkfd.dll
    O4 - HKCU\..\Run: [tk6uh0omas3ssopym946m2mizzf2p5bvcnno5n6w6821] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\vo9ghtxh7.exe  
    O4 - HKCU\..\Run: [l5wb9n0ot7yxs3oo2m] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\dn8cj73b.exe  
    O4 - HKCU\..\Run: [z3oe0v4gjqnkg2ugzvtvhv51jxa9] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\qqw8pwu.exe  
    O4 - HKCU\..\Run: [m5ikbuow02czpk9zhjt3yotsnv3potfhr6oof482utl06] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\iqvm0l1hid.exe  
    O4 - HKCU\..\Run: [u2qomh3qpmtx4monpdah5w2sjyyqeppxv1ybsupd9r] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\zr5tp3.exe  
    O4 - HKCU\..\Run: [j8mknyo4k8u9xxtjbjrpyo734l8wqidx4uphpf64nuxm9w2] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\mk225d4yj.exe
    O4 - HKCU\..\Run: [yusvzwqobr3kpak66kdcoctssl9722wszgkt3yn0ng54mz] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\m2vjhll7f.exe  
    O4 - HKCU\..\Run: [f9eaijxdib] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\oekn23at6va.exe  
    O4 - HKCU\..\Run: [g42wcz3vbq269akstz5uygqhut5eto16bqtnh5uy6i0b] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\v885vhzrm7.exe  
    O4 - HKCU\..\Run: [z1ymr9bvsjlxtx15poud1i2r59filgfccildspzslf8uu0n] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\a5a6986x.exe  
    O4 - HKCU\..\Run: [rszdpmgy7bed87rr] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\hr7jd9.exe  
    O4 - HKCU\..\Run: [vp6m9tyqvcpu31gg5pfwqnyjzgxd5s69z0eg7karw5ew5] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\zx9nzuel4z.exe  
    O4 - HKCU\..\Run: [nyual6iicaxgzx6hcqeujbjuq4j5dmgc41ybm4gdb5f] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\mrlq0ewk5ao.exe  
    O4 - HKCU\..\Run: [ivjnpn9jazhgc5eihvrl4t2ce36hzk2] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\go26y0rxqb9iw.exe  
    O4 - HKCU\..\Run: [qg8ysz4l36reda0pbvjmke] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\xf4cw53r8bu.exe  
    O4 - HKCU\..\Run: [dfbfuv3sbdb6kin6cqrj5iydh6rynl9ugrv] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\ce4s0i.exe  
    O4 - HKCU\..\Run: [ih37cprpplz274arzzltbt3mr7] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\apzw2lk.exe  
    O4 - HKCU\..\Run: [cq9jfnpp9b81awvirlynrux] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\dobtf1pnb.exe
    O4 - HKCU\..\Run: [spas6ckun93r81vh7tfb6o9anim6j1x6yy4z0jet5ep] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\l9bnxpvtfc.exe  
    O4 - HKCU\..\Run: [g5k0zyee8o1va] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\wbb63zcwn3b.exe  
    O4 - HKCU\..\Run: [cmpu3wbdvttezls6b4e11n0v2a7390vj2k1hga95t] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\o7iq243n6xn.exe  
    O4 - HKCU\..\Run: [k2h34uolifjw70tdjl5947bkuqv8qn] C:\DOCUME~1\REGINA~1\LOCALS~1\Temp\pynoalny7ri0.exe  
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O20 - Winlogon Notify: CNMnt5 - CNMnt5.dll (file missing)  
    O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll  
    O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hs78344kjkfd.dll

    And run these 2 tools and show us the logs.
    Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.

    If you can't access the above link then use this link and rename the file before saving to your desktop.

    2.  Please download ComboFix by sUBs:
    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    LVL 27

    Expert Comment

    Before you run your scans disable System Restore.
    Then boot into Safe Mode (F8 at startup).
    Log on with your usual name/password and run the suites suggested by rpggamergirl.
    Once the scans are completed, reboot and test.
    LVL 2

    Expert Comment

    You'll notice a majority of the bad entries listed in your Hijack This folder are coming out of your temporary files.  Before you run rpggamergirl's scans, download and run CCleaner to empty out all of your temporary files.
    LVL 1

    Author Comment

    I fix the entries in the list above in hijackthis, but one of them will not go away

    O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hs78344kjkfd.dll
    LVL 47

    Accepted Solution

    Hijackthis does not remove infections, it only removes registry entries, that's why you need to run tools to get rid of the files and other hooks belonging to the infection that aren't showing in the log.
    It's possible that there are other files related that BHO that refuses to be removed.
    Run Combofix and show us the log.
    LVL 47

    Expert Comment

    I assume the problem is resolved?

    To uninstall Combofix:
    Go to Start > Run and 'copy and paste' next command in the field:

    ComboFix /u

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
    Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now