As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

Got some Nasty spyware

EliteLamerEliteLamer __BANNED USERS regular
edited September 2008 in Help / Advice Forum
I just got this about an hour ago and it has frozen a "warning spyware detected" to my wallpaper. It is causing my computer to get blue screens of death. Am I just going to have to format?

SEGA
p561852.jpg
EliteLamer on

Posts

  • Options
    RuckusRuckus Registered User regular
    edited September 2008
    EliteLamer wrote: »
    I just got this about an hour ago and it has frozen a "warning spyware detected" to my wallpaper. It is causing my computer to get blue screens of death. Am I just going to have to format?

    You could try SafeMode AntiVirus and AntiSpyware scans, but failing that it's sometimes just easier to start from scratch.

    Ruckus on
  • Options
    ErandusErandus Registered User regular
    edited September 2008
    Boot to safe mode.

    Install and run Ad-Aware, SpyBot, and CCleaner.

    Erandus on
    [SIGPIC][/SIGPIC]
  • Options
    JustinSane07JustinSane07 Really, stupid? Brockton__BANNED USERS regular
    edited September 2008
    If you have access to another PC, look up info about this piece of spyware on Google. You might get an exact answer as to how to fix it. I've had to do this before with ugly spywares because the generic methods don't work. Sometimes people have even written tools and uninstallers for specific spyware removals.

    JustinSane07 on
  • Options
    FellhandFellhand Registered User regular
    edited September 2008
    Erandus wrote: »
    Boot to safe mode.

    Install and run Ad-Aware, SpyBot, and CCleaner.

    These two are what I use for my job along with Malwarebytes Anti-Spyware. The last one is to remove the Antivirus 2008 spyware that has been cropping up lately.

    Fellhand on
  • Options
    DrFrylockDrFrylock Registered User regular
    edited September 2008
    My experience is that Ad-Aware and Spybot are wholly useless against the really nasty spyware cocktails that are out there now (SmitFraud, Virtumondo/Vundo/Virtumonde, etc.) Malwarebytes may do a better job. Go ahead and try those things first but if they don't work don't be surprised. Note that if you do fix it you'll have to set your desktop background back manually, usually.

    If those don't work, post a HijackThis log and I'll take a look at it. It would be useful to know what you've actually got. I've fixed two of these without reformatting but it was not easy.

    DrFrylock on
  • Options
    TL DRTL DR Not at all confident in his reflexive opinions of thingsRegistered User regular
    edited September 2008
    Fellhand wrote: »
    Erandus wrote: »
    Boot to safe mode.

    Install and run Ad-Aware, SpyBot, and CCleaner.

    These two are what I use for my job along with Malwarebytes Anti-Spyware. The last one is to remove the Antivirus 2008 spyware that has been cropping up lately.

    Yeah, I've seen this same thing on 2 computers.

    Just FYI, WIN+R will open the Run prompt, which is useful if the virus has disabled the start menu item and you need to access System Configuration Utility (msconfig) or edit Registry Entries (regedit) such as if you've been locked out of task manager.

    Definitely do some internet searching on your symptoms. I was able to find a fix for the problem, but it was a while ago.

    TL DR on
  • Options
    Liquid HellzLiquid Hellz Registered User regular
    edited September 2008
    Not to hijack the thread but I saw Fry mention Virtumonde and I currently have that and it is quite annoying. I tried the safemode delete and everything and it didnt work. I tried manually deleting the reg keys which I found through spybot S&D and it didnt work. What should I do?

    Liquid Hellz on
    What I do for a living:
    Home Inspection and Wind Mitigation
    http://www.FairWindInspections.com/
  • Options
    DrFrylockDrFrylock Registered User regular
    edited September 2008
    Not to hijack the thread but I saw Fry mention Virtumonde and I currently have that and it is quite annoying. I tried the safemode delete and everything and it didnt work. I tried manually deleting the reg keys which I found through spybot S&D and it didnt work. What should I do?

    Try some custom software that's built to remove Virtumonde. These will probably scrape off the worst of things, but it's advisable to run HijackThis right afterwards to remove the detritus left behind.

    DrFrylock on
  • Options
    Liquid HellzLiquid Hellz Registered User regular
    edited September 2008
    I did both of those walkthroughs and neither program found the virus, I ran spybot S&D again and it found it but can't get rid of it.

    Liquid Hellz on
    What I do for a living:
    Home Inspection and Wind Mitigation
    http://www.FairWindInspections.com/
  • Options
    Liquid HellzLiquid Hellz Registered User regular
    edited September 2008
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O20 - AppInit_DLLs: uvamap.dll iulgpa.dll vixopo.dll vziblr.dll yhfkiq.dll yomccr.dll eohxgr.dll oegtte.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 3953 bytes

    Liquid Hellz on
    What I do for a living:
    Home Inspection and Wind Mitigation
    http://www.FairWindInspections.com/
  • Options
    DrFrylockDrFrylock Registered User regular
    edited September 2008
    O20 - AppInit_DLLs: uvamap.dll iulgpa.dll vixopo.dll vziblr.dll yhfkiq.dll yomccr.dll eohxgr.dll oegtte.dll

    Those look pretty suspicious. Everything else looks OK.

    These days HijackThis can't tell you everything unfortunately. For example, the last nasty I fought with overwrote the System beep driver (beep.sys) with an infected copy.

    If that doesn't work, try ComboFix. ComboFix can mess up your computer so it's sort of a tool of last resort.

    Basically what ComboFix does is kill everything on your computer except the very basics and then scrapes the malware off. It has like 45+ specific fixes for these nasties. Sometimes it can't get it all, so it generates a log. You then look at the log and look for anything it didn't get, then you write that into a little specially-formatted text file. You drop the text file on the ComboFix icon and it scrapes that stuff off as well. By that point it's really gone and you can do your usual scans and clean up.

    DrFrylock on
  • Options
    Liquid HellzLiquid Hellz Registered User regular
    edited September 2008
    How do I create that specially-formatted text file, I have the log here

    ComboFix 08-09-04.09 - K 2008-09-05 19:48:28.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1692 [GMT -4:00]
    Running from: C:\Documents and Settings\K\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\emtb.exe
    C:\WINDOWS\eovk.exe
    C:\WINDOWS\system32\awtQGaaY.dll
    C:\WINDOWS\system32\bxlnekli.ini
    C:\WINDOWS\system32\cbhteipu.dll
    C:\WINDOWS\system32\cgeueutl.ini
    C:\WINDOWS\system32\civpyuno.dll
    C:\WINDOWS\system32\cplbbxce.ini
    C:\WINDOWS\system32\csbwprsl.dll
    C:\WINDOWS\system32\dyqflhym.dll
    C:\WINDOWS\system32\ecxbblpc.dll
    C:\WINDOWS\system32\eigotcdy.ini
    C:\WINDOWS\system32\eohxgr.dll
    C:\WINDOWS\system32\fmfbxlui.dll
    C:\WINDOWS\system32\fmqftpek.ini
    C:\WINDOWS\system32\gavayl.dll
    C:\WINDOWS\system32\gnfbcl.dll
    C:\WINDOWS\system32\GQtAbJjl.ini
    C:\WINDOWS\system32\GQtAbJjl.ini2
    C:\WINDOWS\system32\hmkaxcxk.ini
    C:\WINDOWS\system32\hvmgejhn.dll
    C:\WINDOWS\system32\ibnvwkrp.ini
    C:\WINDOWS\system32\iulgpa.dll
    C:\WINDOWS\system32\iulxbfmf.ini
    C:\WINDOWS\system32\kcbjubim.dll
    C:\WINDOWS\system32\keptfqmf.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mibujbck.ini
    C:\WINDOWS\system32\mobvfrtb.ini
    C:\WINDOWS\system32\neqmnbhl.ini
    C:\WINDOWS\system32\nfyfktin.dll
    C:\WINDOWS\system32\nkpyrsgq.dll
    C:\WINDOWS\system32\nosxnwdg.dll
    C:\WINDOWS\system32\nwbnfpcv.dll
    C:\WINDOWS\system32\oegtte.dll
    C:\WINDOWS\system32\oevynvir.dll
    C:\WINDOWS\system32\ohtgiopv.dll
    C:\WINDOWS\system32\pcmewsox.ini
    C:\WINDOWS\system32\qrbmwb.dll
    C:\WINDOWS\system32\rlygip.dll
    C:\WINDOWS\system32\rryuxdgb.dll
    C:\WINDOWS\system32\sqhmkfqy.ini
    C:\WINDOWS\system32\uvamap.dll
    C:\WINDOWS\system32\vixopo.dll
    C:\WINDOWS\system32\vjhfge.dll
    C:\WINDOWS\system32\vziblr.dll
    C:\WINDOWS\system32\winupdate.exe
    C:\WINDOWS\system32\wmydimty.ini
    C:\WINDOWS\system32\wpxdjxjm.dll
    C:\WINDOWS\system32\xmrhudyv.ini
    C:\WINDOWS\system32\xoswemcp.dll
    C:\WINDOWS\system32\ydctogie.dll
    C:\WINDOWS\system32\yhfkiq.dll
    C:\WINDOWS\system32\yomccr.dll
    C:\WINDOWS\system32\ytmidymw.dll
    C:\WINDOWS\twmxbsqrsqm.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
    .

    2008-09-04 19:36 . 2008-09-04 19:36 <DIR> d
    C:\Program Files\Trend Micro
    2008-09-04 18:09 . 2008-09-04 18:09 103,552 --a
    C:\WINDOWS\system32\lhbnmqen.dll
    2008-09-01 14:15 . 2008-09-01 14:15 124,544 --a
    C:\WINDOWS\system32\vlxtgukb.dll
    2008-09-01 14:15 . 2008-09-01 14:15 124,544 --a
    C:\WINDOWS\system32\jepnnv.dll
    2008-08-31 11:54 . 2008-08-31 11:54 125,056 --a
    C:\WINDOWS\system32\hhwzwc.dll
    2008-08-31 11:54 . 2008-08-31 11:54 125,056 --a
    C:\WINDOWS\system32\ewkwcplf.dll
    2008-08-27 18:06 . 2008-08-27 18:06 103,552 --a
    C:\WINDOWS\system32\ilkenlxb.dll
    2008-08-21 16:37 . 2008-08-21 16:37 <DIR> d
    C:\VundoFix Backups
    2008-08-21 16:24 . 2008-08-21 16:26 2,472 --a
    C:\WINDOWS\system32\tmp.reg
    2008-08-21 16:17 . 2008-08-21 16:17 88,524 --a
    C:\smitfrau.reg
    2008-08-21 16:17 . 2006-05-27 19:03 16,824 --a
    C:\replace.cmd
    2008-08-21 16:17 . 2008-08-21 16:17 1,458 --a
    C:\smitfra.reg
    2008-08-21 16:06 . 2008-08-21 16:06 <DIR> d
    C:\Documents and Settings\Administrator
    2008-08-21 14:54 . 2008-08-21 14:55 326,144 --a
    C:\WINDOWS\system32\ljJbAtQG.dll
    2008-08-21 14:49 . 2008-08-21 14:49 34,176 --a
    C:\WINDOWS\system32\qoMcaBRK.dll.vir
    2008-08-21 14:46 . 2008-08-21 14:46 147,456 ---hs---- C:\Documents and Settings\K\ppxcs.exe
    2008-08-21 14:46 . 2008-08-21 14:46 134,144 ---hs---- C:\Documents and Settings\K\intelOP.exe
    2008-08-21 14:46 . 2008-08-21 14:46 103,936 ---hs---- C:\Documents and Settings\K\sccs.exe
    2008-08-21 14:46 . 2008-08-21 14:46 103,424 ---hs---- C:\Documents and Settings\K\css.exe
    2008-08-21 14:46 . 2008-08-21 12:59 94,208 --a
    C:\WINDOWS\tqwolser.exe
    2008-08-21 14:46 . 2008-08-21 14:46 69,632 ---hs---- C:\Documents and Settings\K\MediaTubeCodec_ver1.1463.0.exe
    2008-08-16 14:10 . 2008-08-16 15:24 <DIR> d
    C:\Program Files\Wrath of the Lich King Beta

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-05 18:01
    d
    w C:\Documents and Settings\K\Application Data\SPORE Creature Creator
    2008-08-31 19:02
    d
    w C:\Documents and Settings\K\Application Data\uTorrent
    2008-08-27 02:09
    d
    w C:\Program Files\Common Files\AOL
    2008-08-27 02:09
    d
    w C:\Documents and Settings\All Users\Application Data\AOL
    2008-08-24 13:11
    d
    w C:\Program Files\Steam
    2008-08-21 20:57
    d
    w C:\Program Files\Enigma Software Group
    2008-08-21 20:43
    d
    w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-21 19:32
    d
    w C:\Program Files\Spybot - Search & Destroy
    2008-08-16 18:25
    d
    w C:\Program Files\Common Files\Blizzard Entertainment
    2008-08-14 22:29
    d
    w C:\Program Files\World of Warcraft
    2006-09-12 19:25 580 -c--a-w C:\Documents and Settings\K\Application Data\wklnhst.dat
    .

    Sigcheck

    2006-08-30 21:40 516608 e0ebf501f5e18a3fdd16f25a7af3fdf0 C:\WINDOWS\system32\winlogon.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BE201C6-5511-4615-8EC6-413B614C1318}]
    2008-08-21 14:55 326144 --a
    C:\WINDOWS\System32\ljJbAtQG.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GBB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2006-06-02 385024]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-12-05 8523776]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-12-05 81920]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "UserId"= N7@ACAM
    "UserIdNo"= 843 (0x34b)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=vjhfge.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420"= i420vfw.dll
    "VIDC.X264"= x264vfw.dll
    "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
    "vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^K^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=C:\Documents and Settings\K\Start Menu\Programs\Startup\MagicDisc.lnk
    backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    --a--c--- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a
    2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
    --a--c--- 2004-06-14 11:54 200704 C:\Program Files\GIGABYTE\ET5\GUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
    --a--c--- 2007-03-05 13:57 1103480 C:\Program Files\IGN\Download Manager\DLM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a
    2007-07-27 20:14 271672 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    c--- 2005-10-11 18:25 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a
    2007-12-05 02:41 81920 C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a--c--- 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
    --a--c--- 2007-04-12 21:51 512004 C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a
    2007-06-26 21:31 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    --a--c--- 2004-11-11 00:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a
    2006-10-24 17:10 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    -r---c--- 2005-05-03 06:43 69632 C:\WINDOWS\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    -r---c--- 2006-05-26 22:47 16208384 C:\WINDOWS\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    -r---c--- 2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"="0x00000000"
    "UpdatesDisableNotify"="0x00000000"

    S3 mdxgthkn;mdxgthkn;C:\DOCUME~1\K\LOCALS~1\Temp\mdxgthkn.sys [ ]
    S3 TCCrystalCpuInfo;TCCrystalCpuInfo;C:\DOCUME~1\K\LOCALS~1\Temp\TCCpuInfo.sys [ ]

    *Newly Created Service* - ALG
    *Newly Created Service* - IPNAT
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{1BA84DC3-AFBA-4AE2-AD4F-3AF2F857466B} - (no file)
    BHO-{2A74643F-66D3-4752-9505-B3A14B169096} - (no file)
    BHO-{3EFEDC49-BE79-4949-ACC2-86A25DD47B43} - (no file)
    BHO-{40E55E98-4873-4151-B5C5-1437064C1D9C} - (no file)
    BHO-{6B35A95E-5573-4A7E-AC38-3FBA285B7CDC} - (no file)
    BHO-{7BDF1BF9-794A-4C26-B30C-BF84D0D501A6} - (no file)
    BHO-{9B97422F-9772-46D5-8650-FF1A0763ACBB} - (no file)
    BHO-{B3CC7625-31D1-4911-A1CA-5D84FEAE921D} - (no file)
    BHO-{F3939C32-D8B1-4D12-8924-A752327833E2} - (no file)
    MSConfigStartUp-9c84cc06 - C:\WINDOWS\System32\prkwvnbi.dll
    MSConfigStartUp-Aim6 - C:\Program Files\AIM6\aim6.exe
    MSConfigStartUp-EA Core - C:\Program Files\Electronic Arts\EA Link\Core.exe
    MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1156968265\ee\AOLSoftware.exe
    MSConfigStartUp-IPHSend - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe


    .
    Supplementary Scan
    .
    FireFox -: Profile - C:\Documents and Settings\K\Application Data\Mozilla\Firefox\Profiles\tdtmqjnr.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.penny-arcade.com/
    FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
    FF -: plugin - C:\Program Files\IGN\Download Manager\npfpdlm.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
    FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-05 19:51:52
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Other Running Processes
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-05 19:54:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-05 23:54:07

    Pre-Run: 15,606,128,640 bytes free
    Post-Run: 15,509,397,504 bytes free

    245

    Liquid Hellz on
    What I do for a living:
    Home Inspection and Wind Mitigation
    http://www.FairWindInspections.com/
  • Options
    DrFrylockDrFrylock Registered User regular
    edited September 2008
    Wow, nasty bunch of buggers there.

    Note: At this point I take zero responsibility for anything that happens to your computer. I cannot stress this enough. There is a lot of guesswork from this point on. At this point there are a bunch of nasties on your computer and I'm not quite sure how to get rid of all of them. Problem is that any one of them, if left around, can go download his 85 best friends and install them again and then you're back at square one.

    Some more experienced people might be able to help you out better. If you go post a hijackthis log on bleepingcomputer or majorgeeks you'll get someone that does this all the time. I'm an educated amateur.

    If you still want to continue:

    Basically what that log tells you is that you got a bunch of bad stuff, but some got left over. Create a text file called CFScript.txt with the following contents:
    File::
    C:\WINDOWS\system32\lhbnmqen.dll
    C:\WINDOWS\system32\vlxtgukb.dll
    C:\WINDOWS\system32\jepnnv.dll
    C:\WINDOWS\system32\hhwzwc.dll
    C:\WINDOWS\system32\ewkwcplf.dll
    C:\WINDOWS\system32\ilkenlxb.dll
    C:\WINDOWS\system32\ljJbAtQG.dll
    C:\WINDOWS\system32\qoMcaBRK.dll.vir
    C:\Documents and Settings\K\ppxcs.exe
    C:\Documents and Settings\K\intelOP.exe
    C:\Documents and Settings\K\sccs.exe
    C:\Documents and Settings\K\css.exe
    C:\WINDOWS\tqwolser.exe
    C:\Documents and Settings\K\MediaTubeCodec_ver1.1463.0.exe

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BE201C6-5511-4615-8EC6-413B614C1318}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-

    Especialy with those registry changes, this has a pretty good chance of making something bad happen to your computer. You may just want to go into regedit and try to delete the browser helper object there and remove the nasty from AppInit_DLLs manually. That may work if you've already run ComboFix.

    Drag and drop this file onto the combofix executable. ComboFix will run again and nuke all these files and make changes to the registry. Note that the way I'm generating this is looking at all the stuff that was created since your first infection (as per the combofix log) and looking for stuff that looks suspicious based on filename/location/etc.

    I'm pretty sure you have a bogus service too:

    C:\DOCUME~1\K\LOCALS~1\Temp\mdxgthkn.sys

    You probably won't be able to delete this without stopping the service. If you add it to the CFscript.txt script it may work but you might get errors when you reboot your computer. Google mdxgthkn.sys for more info on how to get rid of this particular baddie.

    Additionally, since you have likely been running your computer since you posted this log, if there's nasties still running, they may be creating more nasties. You may have to go through several more iterations to get rid of it all.

    DrFrylock on
  • Options
    ThanatosThanatos Registered User regular
    edited September 2008
    I'm going to go ahead and recommend you backup all the data you need, and reformat.

    Thanatos on
  • Options
    Liquid HellzLiquid Hellz Registered User regular
    edited September 2008
    Thanatos wrote: »
    I'm going to go ahead and recommend you backup all the data you need, and reformat.

    Yeah that was my last resort type option. I lost my ipod so I need to get some dvds to burn my mp3's too.. If I try what fry is saying before that will it be impossible to back up my stuff?

    Liquid Hellz on
    What I do for a living:
    Home Inspection and Wind Mitigation
    http://www.FairWindInspections.com/
  • Options
    turpentyineturpentyine Registered User regular
    edited September 2008
    you should go here there is pros there that help you out for free. just read the rules/guidelines message before you post
    http://forums.spybot.info/forumdisplay.php?f=22

    turpentyine on
  • Options
    whuppinswhuppins Registered User regular
    edited September 2008
    I've actually successfully removed virtumonde from a friend's laptop. This was a while ago, but as I remembered it, it uses a startup hook to create randomly-named .dlls (and other files, .inis and such) in c:\windows\system32\. If either the registry hook OR any .dlls are present, they will revive each other at the next startup, like a boss battle on a SNES RPG. Therefore, it's important to remove everything at once.

    If I recall correctly, it was a combination of Microsoft's Malicious Software Removal Tool and the virus-specific tool that Frylock mentioned that got rid of the hooks. Then, without rebooting the computer, I went through \system32\ and manually deleted each junk file. It's true that arbitrarily deleting .dlls from \system32\ can do a lot of damage, but in this case, you'll probably be fine if you use your best judgment. Eight-character filenames consisting of random letters are a dead giveaway. Track all these down and delete them, along with any suspicious (and similarly-named) items in the registry, Startup folder, and other trouble spots. Run as many cleaners as you can, ideally multiple times, then cross your fingers and reboot the system. If you come back into windows and don't see any new files in \system32\, you're probably in the clear.

    Some of the junk .dlls wouldn't let me delete them as they were perpetually in use. In my case, I was able to delete them by stopping Explorer (end the "explorer.exe" process in Task Manager), opening cmd, and just manually doing del commands. If it still won't let you delete them, clear out everything else, then use MoveFile to have Windows delete them at the very beginning of the next boot, before any other stuff has a chance to take control.

    This combination of thorough manual deletion and multiple registry scans did the trick for me. If you can track down every single one of the junk files, you'll win. Once I realized what I needed to do, it only took 30 minutes of actual work (followed by several hours of scans while I watched football) to clear it up.

    Hope this helps.

    whuppins on
  • Options
    EtchEtch Registered User regular
    edited September 2008
    This is the guide I used to get rid of Virtumonde

    http://bbayles.googlepages.com/antivundo.html

    It worked for me, but takes a while to do.

    Etch on
  • Options
    TomantaTomanta Registered User regular
    edited September 2008
    Thanatos wrote: »
    I'm going to go ahead and recommend you backup all the data you need, and reformat.

    As someone who spent several days trying to get rid of a Virtumonde variant, including self-removal guides and failing - and finally reformatting - I agree with Thanatos.

    Then again, my computer was only a month old at the time so the format was easy.

    Tomanta on
  • Options
    Descendant XDescendant X Skyrim is my god now. Outpost 31Registered User regular
    edited September 2008
    I think I had something similar on my wife's laptop and I ended up reformatting. I moved all the pictured she had onto various thumb drives and cards using a Linux install disk.

    Descendant X on
    Garry: I know you gentlemen have been through a lot, but when you find the time I'd rather not spend the rest of the winter TIED TO THIS FUCKING COUCH!
Sign In or Register to comment.