Not sure what, but it's serious malware

Status
Not open for further replies.
Hi all, this is my first post to TechSpot! I've been visiting the site for a long time trying to pick up tidbits of easy tech fixes and this has been about the best place I could find - keep up the good work!

I figured I had everything running pretty well on my machine (regularly updating and keeping my AV current) until just yesterday that little shield with the X on it showed up with the "Spyware Infection has Detected !" tooltip. Since then I've tried my hopelessly inadequate Norton AV scan, installed avast and caught about 8 infections (most not serious) and caught about 20 pieces of spyware with AdAware SE.

It's sad but I guess that's pretty normal - my problem is the shield icon is still there however and my machine is now popup hell with some other bizarre errors. Time to throw in the towel and ask for help. I downloaded HiJackThis and ran it. Here's the log:


A lot of this stuff I recognize and am relatively comfortable with but the svchost stuff, smss, and tcpipmon I'm especially concerned with. If anyone can spot something else in there and has a recommendation, I would be deeply appreciative.

Thank you,
ZSolid
 
Hi and welcome to techspot. =)

Your system is infected by trojans and other malware.
You are also running an outdated version of HijackThis.


Please go to this thread HERE.

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer.
Do follow all the instructions exactly.

You may wish to copy and paste these instructions on notepad for easier reference later.

Download Vundofix from HERE.

Double click the Vundofix.exe to run it.
Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

These are the following file path's you need to enter:
C:\WINDOWS\SYSTEM32\gebywuu.dll
C:\WINDOWS\system32\mlljg.dll


Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Next, boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.

Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

ALCXMNTR.EXE
MGSBAR.DLL
tcpipmon.exe
hkuxcjqs.dll


Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

ALCXMNTR.EXE
MGSBAR.DLL
tcpipmon.exe
hkuxcjqs.dll
gebywuu.dll
igfxsrvc.dll
mlljg.dll
nnllkh.dll
rpcc.dll


After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\gebywuu.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\ijgtdlrk.dll (file missing)
O2 - BHO: (no name) - {9E3B153F-4035-4C7D-BA03-0B2B0FEC4FC2} - C:\WINDOWS\system32\mlljg.dll
O9 - Extra button: (no name) - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - (no file)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: gebywuu - C:\WINDOWS\SYSTEM32\gebywuu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mlljg - C:\WINDOWS\system32\mlljg.dll
O20 - Winlogon Notify: nnnllkh - C:\WINDOWS\SYSTEM32\nnnllkh.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Program Files\MyGlobalSearch\
C:\WINDOWS\system32\ijgtdlrk.dll
C:\WINDOWS\SYSTEM32\gebywuu.dll
C:\WINDOWS\SYSTEM32\igfxsrvc.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\SYSTEM32\nnnllkh.dll
C:\WINDOWS\system32\rpcc.dll

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.
That said, please do not copy and paste your logs in this thread if not it will be ignored and/or removed by the moderators.

The logs will enable us to understand more about the problems on your system.


Regards,
Your friendly Momok =)
 
Status
Not open for further replies.
Back