Flashplayer Ecards -

User has installed a malware "flashplayer" which affects the system in a number of ways. Unable to determin what the virus is, clamwin does not seem to detect it and if I try to go to sites like housecall then the virus redirects to microsoft.com. The line in hijack this that relates to the virus, I think, is "O20 - Winlogon Notify: mmx432 - C:\WINNT\SYSTEM32\mmx432.dll" because everytime I remove the entry it appears right away.

 

Welcome to MajorGeeks.com!

Please follow forum guidelines and perform cleaning steps in the sticky thread before posting HijackThis logs.

Now, please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

Uninstall Malware via add/remove - done
Disable System restore - I am on win2k
Enable viewing of hidden file type, system files and extensions - done
Do not use multiple antivirus applications - done

Install spybot and update - installed, would not update due to the virus, downloaded updates on another machine and applied on that machine then copied the includes folder over to get round the virus
Microsoft antispyware - installed and updated
CClear will not install - memory problem due to the virus i think

Scans
Windows malicious software removal tool finds nothing
Ad-Aware finds nothing other than cookies
SPybot finds nothing
Microsoft antispyware finds nothing
Bitdefender finds nothing
Panda ActiveScan
(Tried trendmicro and when I try to get to the download page I always get redirected to the microsoft domain by the virus)

As of yet I have been unable to find out what the malware is, also, I am unable to browse this site except from another machine and f-secure blacklight rootkit detector will not load as it will not load when "runas" although I am loggged in as an admin so I presume this is to do with the virus too.

Help anyone?

 

As previously requested, I need the two logs from the online scans with a current HJT log.

 

I'll post the hijack this log here first then the other logs after, might take some time for the online stuff though. Also, I was unable to save the hijack log directly as the virus seems to mess up the windows dialogues. I had to copy the text to another file, save, ftp to a server and post it from there.

 

While waiting on the online scan logs, run the below...

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

After you complete the above, see the below thread on how to install and run Ewido Anti-Malware.

• Running Ewido Anti-Malware...

 

The entry in my hosts file is suppose to be there; its one of our servers.

Ill check out the other stuff (unless hoster does other stuff than change that line in my hosts file).

 

Ewido crashed on install, I will try in safemode when the virus scan is completed.

 

Got lucky getting rid of this. Virus scanning was taking ages so I started to remove some cabs files. This wasnt going to well so I did a search on the folder but the search hung, hanging windows explorer. Figured the virus or whatever it was, was hooked in to windows explorer so when I terminated the search/windows explorer I also deleted the registry key and restarted the system. Seems I managed to catch the virus rewriting its start up value to the registry so when the system booted back up the virus did not load.

 

First, please don't do anything I do not request. I can't help you if your not going to follow what I say. I don't know what all you have done so I don't know the status of your issue.

I still need the logs from the scans, you must follow my instructions or else I can't help you. There is more to cleaning your computer than removing one file.

 

Thanks for your time. I have done the stuff you asked and nothing has come up other than the hook I was expecting. The virus came back as Haxdoor.ga ( http://www.viruslist.com/en/viruses/encyclopedia?virusid=48944 ). It was a little difficult to do all the steps you ask because of the nature of the virus (dialogue boxes wouldnt work etc). After removal using blacklight the subsequent virus scans have not found anything.

 

Why havn't you attach any of the logs I requested? It's impossible for me to help you without any logs.