The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Got some Nasty spyware
EliteLamer
__BANNED USERS regular
__BANNED USERS regular
I just got this about an hour ago and it has frozen a "warning spyware detected" to my wallpaper. It is causing my computer to get blue screens of death. Am I just going to have to format?
SEGA
EliteLamer on
0
Posts
You could try SafeMode AntiVirus and AntiSpyware scans, but failing that it's sometimes just easier to start from scratch.
Install and run Ad-Aware, SpyBot, and CCleaner.
These two are what I use for my job along with Malwarebytes Anti-Spyware. The last one is to remove the Antivirus 2008 spyware that has been cropping up lately.
If those don't work, post a HijackThis log and I'll take a look at it. It would be useful to know what you've actually got. I've fixed two of these without reformatting but it was not easy.
Yeah, I've seen this same thing on 2 computers.
Just FYI, WIN+R will open the Run prompt, which is useful if the virus has disabled the start menu item and you need to access System Configuration Utility (msconfig) or edit Registry Entries (regedit) such as if you've been locked out of task manager.
Definitely do some internet searching on your symptoms. I was able to find a fix for the problem, but it was a while ago.
Home Inspection and Wind Mitigation
http://www.FairWindInspections.com/
Try some custom software that's built to remove Virtumonde. These will probably scrape off the worst of things, but it's advisable to run HijackThis right afterwards to remove the detritus left behind.
Home Inspection and Wind Mitigation
http://www.FairWindInspections.com/
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O20 - AppInit_DLLs: uvamap.dll iulgpa.dll vixopo.dll vziblr.dll yhfkiq.dll yomccr.dll eohxgr.dll oegtte.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 3953 bytes
Home Inspection and Wind Mitigation
http://www.FairWindInspections.com/
Those look pretty suspicious. Everything else looks OK.
These days HijackThis can't tell you everything unfortunately. For example, the last nasty I fought with overwrote the System beep driver (beep.sys) with an infected copy.
If that doesn't work, try ComboFix. ComboFix can mess up your computer so it's sort of a tool of last resort.
Basically what ComboFix does is kill everything on your computer except the very basics and then scrapes the malware off. It has like 45+ specific fixes for these nasties. Sometimes it can't get it all, so it generates a log. You then look at the log and look for anything it didn't get, then you write that into a little specially-formatted text file. You drop the text file on the ComboFix icon and it scrapes that stuff off as well. By that point it's really gone and you can do your usual scans and clean up.
ComboFix 08-09-04.09 - K 2008-09-05 19:48:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1692 [GMT -4:00]
Running from: C:\Documents and Settings\K\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\emtb.exe
C:\WINDOWS\eovk.exe
C:\WINDOWS\system32\awtQGaaY.dll
C:\WINDOWS\system32\bxlnekli.ini
C:\WINDOWS\system32\cbhteipu.dll
C:\WINDOWS\system32\cgeueutl.ini
C:\WINDOWS\system32\civpyuno.dll
C:\WINDOWS\system32\cplbbxce.ini
C:\WINDOWS\system32\csbwprsl.dll
C:\WINDOWS\system32\dyqflhym.dll
C:\WINDOWS\system32\ecxbblpc.dll
C:\WINDOWS\system32\eigotcdy.ini
C:\WINDOWS\system32\eohxgr.dll
C:\WINDOWS\system32\fmfbxlui.dll
C:\WINDOWS\system32\fmqftpek.ini
C:\WINDOWS\system32\gavayl.dll
C:\WINDOWS\system32\gnfbcl.dll
C:\WINDOWS\system32\GQtAbJjl.ini
C:\WINDOWS\system32\GQtAbJjl.ini2
C:\WINDOWS\system32\hmkaxcxk.ini
C:\WINDOWS\system32\hvmgejhn.dll
C:\WINDOWS\system32\ibnvwkrp.ini
C:\WINDOWS\system32\iulgpa.dll
C:\WINDOWS\system32\iulxbfmf.ini
C:\WINDOWS\system32\kcbjubim.dll
C:\WINDOWS\system32\keptfqmf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mibujbck.ini
C:\WINDOWS\system32\mobvfrtb.ini
C:\WINDOWS\system32\neqmnbhl.ini
C:\WINDOWS\system32\nfyfktin.dll
C:\WINDOWS\system32\nkpyrsgq.dll
C:\WINDOWS\system32\nosxnwdg.dll
C:\WINDOWS\system32\nwbnfpcv.dll
C:\WINDOWS\system32\oegtte.dll
C:\WINDOWS\system32\oevynvir.dll
C:\WINDOWS\system32\ohtgiopv.dll
C:\WINDOWS\system32\pcmewsox.ini
C:\WINDOWS\system32\qrbmwb.dll
C:\WINDOWS\system32\rlygip.dll
C:\WINDOWS\system32\rryuxdgb.dll
C:\WINDOWS\system32\sqhmkfqy.ini
C:\WINDOWS\system32\uvamap.dll
C:\WINDOWS\system32\vixopo.dll
C:\WINDOWS\system32\vjhfge.dll
C:\WINDOWS\system32\vziblr.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wmydimty.ini
C:\WINDOWS\system32\wpxdjxjm.dll
C:\WINDOWS\system32\xmrhudyv.ini
C:\WINDOWS\system32\xoswemcp.dll
C:\WINDOWS\system32\ydctogie.dll
C:\WINDOWS\system32\yhfkiq.dll
C:\WINDOWS\system32\yomccr.dll
C:\WINDOWS\system32\ytmidymw.dll
C:\WINDOWS\twmxbsqrsqm.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.
2008-09-04 19:36 . 2008-09-04 19:36 <DIR> d
C:\Program Files\Trend Micro
2008-09-04 18:09 . 2008-09-04 18:09 103,552 --a
C:\WINDOWS\system32\lhbnmqen.dll
2008-09-01 14:15 . 2008-09-01 14:15 124,544 --a
C:\WINDOWS\system32\vlxtgukb.dll
2008-09-01 14:15 . 2008-09-01 14:15 124,544 --a
C:\WINDOWS\system32\jepnnv.dll
2008-08-31 11:54 . 2008-08-31 11:54 125,056 --a
C:\WINDOWS\system32\hhwzwc.dll
2008-08-31 11:54 . 2008-08-31 11:54 125,056 --a
C:\WINDOWS\system32\ewkwcplf.dll
2008-08-27 18:06 . 2008-08-27 18:06 103,552 --a
C:\WINDOWS\system32\ilkenlxb.dll
2008-08-21 16:37 . 2008-08-21 16:37 <DIR> d
C:\VundoFix Backups
2008-08-21 16:24 . 2008-08-21 16:26 2,472 --a
C:\WINDOWS\system32\tmp.reg
2008-08-21 16:17 . 2008-08-21 16:17 88,524 --a
C:\smitfrau.reg
2008-08-21 16:17 . 2006-05-27 19:03 16,824 --a
C:\replace.cmd
2008-08-21 16:17 . 2008-08-21 16:17 1,458 --a
C:\smitfra.reg
2008-08-21 16:06 . 2008-08-21 16:06 <DIR> d
C:\Documents and Settings\Administrator
2008-08-21 14:54 . 2008-08-21 14:55 326,144 --a
C:\WINDOWS\system32\ljJbAtQG.dll
2008-08-21 14:49 . 2008-08-21 14:49 34,176 --a
C:\WINDOWS\system32\qoMcaBRK.dll.vir
2008-08-21 14:46 . 2008-08-21 14:46 147,456 ---hs---- C:\Documents and Settings\K\ppxcs.exe
2008-08-21 14:46 . 2008-08-21 14:46 134,144 ---hs---- C:\Documents and Settings\K\intelOP.exe
2008-08-21 14:46 . 2008-08-21 14:46 103,936 ---hs---- C:\Documents and Settings\K\sccs.exe
2008-08-21 14:46 . 2008-08-21 14:46 103,424 ---hs---- C:\Documents and Settings\K\css.exe
2008-08-21 14:46 . 2008-08-21 12:59 94,208 --a
C:\WINDOWS\tqwolser.exe
2008-08-21 14:46 . 2008-08-21 14:46 69,632 ---hs---- C:\Documents and Settings\K\MediaTubeCodec_ver1.1463.0.exe
2008-08-16 14:10 . 2008-08-16 15:24 <DIR> d
C:\Program Files\Wrath of the Lich King Beta
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 18:01
d
w C:\Documents and Settings\K\Application Data\SPORE Creature Creator
2008-08-31 19:02
d
w C:\Documents and Settings\K\Application Data\uTorrent
2008-08-27 02:09
d
w C:\Program Files\Common Files\AOL
2008-08-27 02:09
d
w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-24 13:11
d
w C:\Program Files\Steam
2008-08-21 20:57
d
w C:\Program Files\Enigma Software Group
2008-08-21 20:43
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 19:32
d
w C:\Program Files\Spybot - Search & Destroy
2008-08-16 18:25
d
w C:\Program Files\Common Files\Blizzard Entertainment
2008-08-14 22:29
d
w C:\Program Files\World of Warcraft
2006-09-12 19:25 580 -c--a-w C:\Documents and Settings\K\Application Data\wklnhst.dat
.
Sigcheck
2006-08-30 21:40 516608 e0ebf501f5e18a3fdd16f25a7af3fdf0 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BE201C6-5511-4615-8EC6-413B614C1318}]
2008-08-21 14:55 326144 --a
C:\WINDOWS\System32\ljJbAtQG.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2006-06-02 385024]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UserId"= N7@ACAM
"UserIdNo"= 843 (0x34b)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vjhfge.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.X264"= x264vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
[HKLM\~\startupfolder\C:^Documents and Settings^K^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\K\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a
2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a--c--- 2004-06-14 11:54 200704 C:\Program Files\GIGABYTE\ET5\GUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a--c--- 2007-03-05 13:57 1103480 C:\Program Files\IGN\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2007-07-27 20:14 271672 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
c--- 2005-10-11 18:25 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a
2007-12-05 02:41 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
--a--c--- 2007-04-12 21:51 512004 C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a
2007-06-26 21:31 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a--c--- 2004-11-11 00:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a
2006-10-24 17:10 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r---c--- 2005-05-03 06:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r---c--- 2006-05-26 22:47 16208384 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r---c--- 2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
S3 mdxgthkn;mdxgthkn;C:\DOCUME~1\K\LOCALS~1\Temp\mdxgthkn.sys [ ]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;C:\DOCUME~1\K\LOCALS~1\Temp\TCCpuInfo.sys [ ]
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{1BA84DC3-AFBA-4AE2-AD4F-3AF2F857466B} - (no file)
BHO-{2A74643F-66D3-4752-9505-B3A14B169096} - (no file)
BHO-{3EFEDC49-BE79-4949-ACC2-86A25DD47B43} - (no file)
BHO-{40E55E98-4873-4151-B5C5-1437064C1D9C} - (no file)
BHO-{6B35A95E-5573-4A7E-AC38-3FBA285B7CDC} - (no file)
BHO-{7BDF1BF9-794A-4C26-B30C-BF84D0D501A6} - (no file)
BHO-{9B97422F-9772-46D5-8650-FF1A0763ACBB} - (no file)
BHO-{B3CC7625-31D1-4911-A1CA-5D84FEAE921D} - (no file)
BHO-{F3939C32-D8B1-4D12-8924-A752327833E2} - (no file)
MSConfigStartUp-9c84cc06 - C:\WINDOWS\System32\prkwvnbi.dll
MSConfigStartUp-Aim6 - C:\Program Files\AIM6\aim6.exe
MSConfigStartUp-EA Core - C:\Program Files\Electronic Arts\EA Link\Core.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1156968265\ee\AOLSoftware.exe
MSConfigStartUp-IPHSend - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
.
Supplementary Scan
.
FireFox -: Profile - C:\Documents and Settings\K\Application Data\Mozilla\Firefox\Profiles\tdtmqjnr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.penny-arcade.com/
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\IGN\Download Manager\npfpdlm.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 19:51:52
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-09-05 19:54:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-05 23:54:07
Pre-Run: 15,606,128,640 bytes free
Post-Run: 15,509,397,504 bytes free
245
Home Inspection and Wind Mitigation
http://www.FairWindInspections.com/
Note: At this point I take zero responsibility for anything that happens to your computer. I cannot stress this enough. There is a lot of guesswork from this point on. At this point there are a bunch of nasties on your computer and I'm not quite sure how to get rid of all of them. Problem is that any one of them, if left around, can go download his 85 best friends and install them again and then you're back at square one.
Some more experienced people might be able to help you out better. If you go post a hijackthis log on bleepingcomputer or majorgeeks you'll get someone that does this all the time. I'm an educated amateur.
If you still want to continue:
Basically what that log tells you is that you got a bunch of bad stuff, but some got left over. Create a text file called CFScript.txt with the following contents:
Especialy with those registry changes, this has a pretty good chance of making something bad happen to your computer. You may just want to go into regedit and try to delete the browser helper object there and remove the nasty from AppInit_DLLs manually. That may work if you've already run ComboFix.
Drag and drop this file onto the combofix executable. ComboFix will run again and nuke all these files and make changes to the registry. Note that the way I'm generating this is looking at all the stuff that was created since your first infection (as per the combofix log) and looking for stuff that looks suspicious based on filename/location/etc.
I'm pretty sure you have a bogus service too:
C:\DOCUME~1\K\LOCALS~1\Temp\mdxgthkn.sys
You probably won't be able to delete this without stopping the service. If you add it to the CFscript.txt script it may work but you might get errors when you reboot your computer. Google mdxgthkn.sys for more info on how to get rid of this particular baddie.
Additionally, since you have likely been running your computer since you posted this log, if there's nasties still running, they may be creating more nasties. You may have to go through several more iterations to get rid of it all.
Yeah that was my last resort type option. I lost my ipod so I need to get some dvds to burn my mp3's too.. If I try what fry is saying before that will it be impossible to back up my stuff?
Home Inspection and Wind Mitigation
http://www.FairWindInspections.com/
http://forums.spybot.info/forumdisplay.php?f=22
If I recall correctly, it was a combination of Microsoft's Malicious Software Removal Tool and the virus-specific tool that Frylock mentioned that got rid of the hooks. Then, without rebooting the computer, I went through \system32\ and manually deleted each junk file. It's true that arbitrarily deleting .dlls from \system32\ can do a lot of damage, but in this case, you'll probably be fine if you use your best judgment. Eight-character filenames consisting of random letters are a dead giveaway. Track all these down and delete them, along with any suspicious (and similarly-named) items in the registry, Startup folder, and other trouble spots. Run as many cleaners as you can, ideally multiple times, then cross your fingers and reboot the system. If you come back into windows and don't see any new files in \system32\, you're probably in the clear.
Some of the junk .dlls wouldn't let me delete them as they were perpetually in use. In my case, I was able to delete them by stopping Explorer (end the "explorer.exe" process in Task Manager), opening cmd, and just manually doing del commands. If it still won't let you delete them, clear out everything else, then use MoveFile to have Windows delete them at the very beginning of the next boot, before any other stuff has a chance to take control.
This combination of thorough manual deletion and multiple registry scans did the trick for me. If you can track down every single one of the junk files, you'll win. Once I realized what I needed to do, it only took 30 minutes of actual work (followed by several hours of scans while I watched football) to clear it up.
Hope this helps.
http://bbayles.googlepages.com/antivundo.html
It worked for me, but takes a while to do.
As someone who spent several days trying to get rid of a Virtumonde variant, including self-removal guides and failing - and finally reformatting - I agree with Thanatos.
Then again, my computer was only a month old at the time so the format was easy.