Vundoo and Maybe AntiVirus 2008

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Vundoo and Maybe AntiVirus 2008

Options

Kamakzie View Member Profile	Nov 10 2008, 08:21 PM Post #1
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	Might need you guys again. I think I ran some crap I shouldn't have and Search and Destroy is going fruity. Here is the hijack log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:18:52 PM, on 11/10/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\BMExtreme\BMExtreme.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe C:\Program Files\CyberLink\Shared Files\brs.exe C:\Program Files\FlashGet\flashget.exe C:\Windows\System32\CtHelper.exe C:\Program Files\SweetIM\Messenger\SweetIM.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Windows\SOUNDMAN.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\System32\rundll32.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Chameleon Clock\ChamClock.exe C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe C:\wdisplay\WeatherD.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Easy Ejector\cdeject.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Windows\ehome\ehtray.exe C:\Users\Kamakzie\AppData\Local\Google\Update\GoogleUpdate.exe C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\WUHU\WUHU.exe C:\Program Files\BORGChat\BORGChat.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\SnapStream Media\Beyond TV\BTVSettingsService.exe C:\Program Files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe C:\Program Files\SnapStream Media\Beyond TV\BTVNetworkService.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\SnapStream Media\Beyond TV\BTVSchedulerService.exe C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\Windows Mail\WinMail.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe C:\ircN\SYSTEM\mirc.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\SnapStream Media\Beyond TV\BTVD3DShell.exe C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\OBroker.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll O2 - BHO: (no name) - {2B9B3748-46B0-4898-809A-99551708C983} - C:\Windows\system32\mlJCvTlk.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\Program Files\Virtual Account Numbers\BhoCitUS.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {AD204A12-B816-4AE3-A331-EB98CA9368E2} - C:\Windows\system32\yayyvwUm.dll (file missing) O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll O4 - HKLM\..\Run: [BMExtreme] "C:\Program Files\BMExtreme\BMExtreme.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe" O4 - HKLM\..\Run: [Flashget] "C:\Program Files\FlashGet\FlashGet.exe" /min O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [Citi Virtual Account Numbers] "C:\PROGRA~1\VIRTUA~1\CitiVAN.exe" /lang=en_RG /dontopenmycards O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SweetIM] "C:\Program Files\SweetIM\Messenger\SweetIM.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\fccCUkkI.dll,#1 O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [HomeAlarm] "C:\Program Files\Chameleon Clock\ChamClock.exe" O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [Delphi 3#Autostart] "C:\wdisplay\WeatherD.exe" O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [cdeject] "C:\Program Files\Easy Ejector\cdeject.exe" /tray O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Google Update] "C:\Users\Kamakzie\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [Messenger (Yahoo!)] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user') O4 - Startup: BORGChat.lnk = C:\Program Files\BORGChat\BORGChat.exe O4 - Global Startup: Alt.Binz.lnk = C:\Program Files\AltBinz\altbinz.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Beyond TV.lnk = C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: WUHU Weather.lnk = C:\Program Files\WUHU\WUHU.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Virtual Account Numbers - {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - C:\PROGRA~1\VIRTUA~1\CitiVAN.exe O9 - Extra button: Loki - {71723167-B414-4a79-81D6-ACA7B85BB52E} - C:\Program Files\Skyhook Wireless\Loki\LokiPlugin.dll (HKCU) O13 - Gopher Prefix: O15 - Trusted Zone: http://.mlb.com O15 - Trusted Zone: http://www.time.gov O15 - Trusted IP range: http://24.236.250.155 O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} (CAxMP4Dec Class) - http://24.236.250.155:8085/activex/decoder...l_mpeg4_dec.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://24.236.250.155:8085/activex/AMC.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: qnbshz.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Chameleon Clock Set Time for Vista (ChamClock Set Time Service for Vista) - Unknown owner - C:\Program Files\Chameleon Clock\settime.exe O23 - Service: CLHNService3 - Unknown owner - C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe -- End of file - 16966 bytes

kahdah View Member Profile	Nov 10 2008, 08:46 PM Post #2
Forum Addict Group: HJT Team Coach Posts: 6,499 Joined: 27-October 06 From: Florida Member No.: 92,376	Hello Kamakzie Welcome to BleepingComputer ======================== Before running a new scan let's clean out the temporary folders. Download ATF Cleaner to your Desktop. Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. If you use Firefox browser, do this also: Click Firefox at the top and choose Select All from the list. Click the Empty Selected button. NOTE : If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser, do this also: Click Opera at the top and choose Select All from the list. Close ALL Internet browsers (very important). Click the Empty Selected button. NOTE : If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. =========================================== Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop. Note: You must be logged on to the system with an account that has Administrator privileges to run this program. Close ALL OTHER PROGRAMS. Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator). In the Drivers section click on Non-Microsoft. Under Additional Scans click the checkboxes in front of the following items to select them: Reg - BotCheck File - Additional Folder Scans FIle - Lop check File - Purity Scan Under Basic scans: Rootkit Search -Yes Drivers -Non Microsoft Do not change any other settings. Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Use the Add Reply button and Attach the information back here. I will review it when it comes in. -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

Kamakzie View Member Profile	Nov 10 2008, 09:43 PM Post #3
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	Crap it was too big to attach here. Any suggestions? Its 765k.

kahdah View Member Profile	Nov 10 2008, 09:45 PM Post #4
Forum Addict Group: HJT Team Coach Posts: 6,499 Joined: 27-October 06 From: Florida Member No.: 92,376	Click Here to upload the file please. -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

Kamakzie View Member Profile	Nov 10 2008, 09:48 PM Post #5
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	QUOTE(kahdah @ Nov 10 2008, 09:45 PM) Click Here to upload the file please. Thanks file submitted.

kahdah View Member Profile	Nov 10 2008, 10:01 PM Post #6
Forum Addict Group: HJT Team Coach Posts: 6,499 Joined: 27-October 06 From: Florida Member No.: 92,376	Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator). Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button. CODE [Kill Explorer] [Unregister Dlls] [Registry - Non-Microsoft Only] < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YY -> MSServer -> %SystemRoot%\System32\fccCUkkI.dll [rundll32.exe C:\Windows\system32\fccCUkkI.dll,#1] < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs AppInit_DLLs -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls YY -> qnbshz.dll -> %SystemRoot%\System32\qnbshz.dll YY -> xmfrgq.dll -> %SystemRoot%\System32\xmfrgq.dll < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks YN -> {81EA3F36-357A-435A-8741-52C27CCC9F21} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\awttqrQI.dll [] YY -> {9950772D-AF73-4AEA-80B6-C251EC40EA30} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\fccCUkkI.dll [] < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ YN -> {AD204A12-B816-4AE3-A331-EB98CA9368E2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\yayyvwUm.dll [Reg Error: Value does not exist or could not be read.] YY -> {ddd47634-7acc-4545-800d-b47631ea31d2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\xmfrgq.dll [Reg Error: Value does not exist or could not be read.] [Registry - Additional Scans - Non-Microsoft Only] < BotCheck > -> Authentication Packages -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages YY -> C:\Windows\system32\mlJCvTlk -> %SystemRoot%\System32\mlJCvTlk.dll < BotCheck > -> [Files/Folders - Created Within 30 days] NY -> ddcAsrSj.dll -> %SystemRoot%\System32\ddcAsrSj.dll NY -> fccCUkkI.dll -> %SystemRoot%\System32\fccCUkkI.dll NY -> iisxwyii.dll -> %SystemRoot%\System32\iisxwyii.dll NY -> iiywxsii.ini -> %SystemRoot%\System32\iiywxsii.ini NY -> ikbpdyce.dll -> %SystemRoot%\System32\ikbpdyce.dll NY -> klTvCJlm.ini -> %SystemRoot%\System32\klTvCJlm.ini NY -> klTvCJlm.ini2 -> %SystemRoot%\System32\klTvCJlm.ini2 NY -> mlJCvTlk.dll -> %SystemRoot%\System32\mlJCvTlk.dll NY -> pqjeydqo.dll -> %SystemRoot%\System32\pqjeydqo.dll NY -> qnbshz.dll -> %SystemRoot%\System32\qnbshz.dll NY -> xmfrgq.dll -> %SystemRoot%\System32\xmfrgq.dll [Files/Folders - Modified Within 30 days] NY -> ddcAsrSj.dll -> %SystemRoot%\System32\ddcAsrSj.dll NY -> fccCUkkI.dll -> %SystemRoot%\System32\fccCUkkI.dll NY -> iisxwyii.dll -> %SystemRoot%\System32\iisxwyii.dll NY -> iiywxsii.ini -> %SystemRoot%\System32\iiywxsii.ini NY -> ikbpdyce.dll -> %SystemRoot%\System32\ikbpdyce.dll NY -> klTvCJlm.ini -> %SystemRoot%\System32\klTvCJlm.ini NY -> klTvCJlm.ini2 -> %SystemRoot%\System32\klTvCJlm.ini2 NY -> mlJCvTlk.dll -> %SystemRoot%\System32\mlJCvTlk.dll NY -> pqjeydqo.dll -> %SystemRoot%\System32\pqjeydqo.dll NY -> qnbshz.dll -> %SystemRoot%\System32\qnbshz.dll NY -> xmfrgq.dll -> %SystemRoot%\System32\xmfrgq.dll [Empty Temp Folders] [Start Explorer] The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here. If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here. I will review the information when it comes back in. Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer. ================================================= Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley. ============ Then: Download random's system information tool (RSIT) by random/random from here and save it to your desktop. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized) -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

Kamakzie View Member Profile	Nov 10 2008, 10:33 PM Post #7
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	Spybot S&D is trying to block some things. Here is the info the other program spit out after I ran it. Explorer killed successfully [Registry - Non-Microsoft Only] Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully. DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll C:\Windows\System32\fccCUkkI.dll NOT unregistered. File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:qnbshz.dll deleted successfully. DllUnregisterServer procedure not found in C:\Windows\System32\qnbshz.dll C:\Windows\System32\qnbshz.dll NOT unregistered. C:\Windows\System32\qnbshz.dll moved successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:xmfrgq.dll deleted successfully. DllUnregisterServer procedure not found in C:\Windows\System32\xmfrgq.dll C:\Windows\System32\xmfrgq.dll NOT unregistered. C:\Windows\System32\xmfrgq.dll moved successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{81EA3F36-357A-435A-8741-52C27CCC9F21} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81EA3F36-357A-435A-8741-52C27CCC9F21}\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{9950772D-AF73-4AEA-80B6-C251EC40EA30} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9950772D-AF73-4AEA-80B6-C251EC40EA30}\ deleted successfully. DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll C:\Windows\System32\fccCUkkI.dll NOT unregistered. File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddd47634-7acc-4545-800d-b47631ea31d2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ddd47634-7acc-4545-800d-b47631ea31d2}\ deleted successfully. File C:\Windows\System32\xmfrgq.dll not found. [Registry - Additional Scans - Non-Microsoft Only] Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\Windows\system32\mlJCvTlk deleted successfully. DllUnregisterServer procedure not found in C:\Windows\System32\mlJCvTlk.dll C:\Windows\System32\mlJCvTlk.dll NOT unregistered. C:\Windows\System32\mlJCvTlk.dll moved successfully. [Files/Folders - Created Within 30 days] DllUnregisterServer procedure not found in C:\Windows\System32\ddcAsrSj.dll C:\Windows\System32\ddcAsrSj.dll NOT unregistered. C:\Windows\System32\ddcAsrSj.dll moved successfully. DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll C:\Windows\System32\fccCUkkI.dll NOT unregistered. File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot. DllUnregisterServer procedure not found in C:\Windows\System32\iisxwyii.dll C:\Windows\System32\iisxwyii.dll NOT unregistered. C:\Windows\System32\iisxwyii.dll moved successfully. C:\Windows\System32\iiywxsii.ini moved successfully. DllUnregisterServer procedure not found in C:\Windows\System32\ikbpdyce.dll C:\Windows\System32\ikbpdyce.dll NOT unregistered. C:\Windows\System32\ikbpdyce.dll moved successfully. C:\Windows\System32\klTvCJlm.ini moved successfully. C:\Windows\System32\klTvCJlm.ini2 moved successfully. File C:\Windows\System32\mlJCvTlk.dll not found! DllUnregisterServer procedure not found in C:\Windows\System32\pqjeydqo.dll C:\Windows\System32\pqjeydqo.dll NOT unregistered. C:\Windows\System32\pqjeydqo.dll moved successfully. File C:\Windows\System32\qnbshz.dll not found! File C:\Windows\System32\xmfrgq.dll not found! [Files/Folders - Modified Within 30 days] File C:\Windows\System32\ddcAsrSj.dll not found! DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll C:\Windows\System32\fccCUkkI.dll NOT unregistered. File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot. File C:\Windows\System32\iisxwyii.dll not found! File C:\Windows\System32\iiywxsii.ini not found! File C:\Windows\System32\ikbpdyce.dll not found! File C:\Windows\System32\klTvCJlm.ini not found! File C:\Windows\System32\klTvCJlm.ini2 not found! File C:\Windows\System32\mlJCvTlk.dll not found! File C:\Windows\System32\pqjeydqo.dll not found! File C:\Windows\System32\qnbshz.dll not found! File C:\Windows\System32\xmfrgq.dll not found! [Empty Temp Folders] File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk-journal scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_krXUlRgCwhFLML61uoMm scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_7280_2 scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DF4D9.tmp scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DFB27E.tmp scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DFB690.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\OfflineCache\index.sqlite scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl scheduled to be deleted on reboot. FireFox cache emptied. RecycleBin -> emptied. Explorer started successfully < End of fix log > OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11102008_221839 Files moved on Reboot... C:\Windows\System32\fccCUkkI.dll moved successfully. File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk not found! File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk-journal not found! File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_krXUlRgCwhFLML61uoMm not found! C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_7280_2 moved successfully. File C:\Users\Kamakzie\AppData\Local\Temp\~DF4D9.tmp not found! File C:\Users\Kamakzie\AppData\Local\Temp\~DFB27E.tmp not found! File C:\Users\Kamakzie\AppData\Local\Temp\~DFB690.tmp not found! C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\OfflineCache\index.sqlite moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl moved successfully. Attached File(s) spybot.jpg ( 26.41k ) Number of downloads: 10

kahdah View Member Profile	Nov 11 2008, 12:36 AM Post #8
Forum Addict Group: HJT Team Coach Posts: 6,499 Joined: 27-October 06 From: Florida Member No.: 92,376	While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. ======= Then please proceed with MalwareBYtes and the Rsit tool -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

Kamakzie View Member Profile	Nov 11 2008, 02:46 AM Post #9
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	Thanks I think all is well again.

kahdah View Member Profile	Nov 11 2008, 07:18 AM Post #10
Forum Addict Group: HJT Team Coach Posts: 6,499 Joined: 27-October 06 From: Florida Member No.: 92,376	Hi I will need to have those scan results to determine whether or not you are clean. -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

Kamakzie View Member Profile	Nov 11 2008, 11:54 AM Post #11
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	Explorer killed successfully [Registry - Non-Microsoft Only] Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully. File C:\Windows\System32\fccCUkkI.dll not found. Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:qnbshz.dll . File C:\Windows\System32\qnbshz.dll not found. Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:xmfrgq.dll . File C:\Windows\System32\xmfrgq.dll not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{81EA3F36-357A-435A-8741-52C27CCC9F21} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81EA3F36-357A-435A-8741-52C27CCC9F21}\ not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{9950772D-AF73-4AEA-80B6-C251EC40EA30} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9950772D-AF73-4AEA-80B6-C251EC40EA30}\ deleted successfully. File C:\Windows\System32\fccCUkkI.dll not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddd47634-7acc-4545-800d-b47631ea31d2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ddd47634-7acc-4545-800d-b47631ea31d2}\ not found. File C:\Windows\System32\xmfrgq.dll not found. [Registry - Additional Scans - Non-Microsoft Only] Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\Windows\system32\mlJCvTlk deleted successfully. File C:\Windows\System32\mlJCvTlk.dll not found. [Files/Folders - Created Within 30 days] File C:\Windows\System32\ddcAsrSj.dll not found! File C:\Windows\System32\fccCUkkI.dll not found! File C:\Windows\System32\iisxwyii.dll not found! File C:\Windows\System32\iiywxsii.ini not found! File C:\Windows\System32\ikbpdyce.dll not found! File C:\Windows\System32\klTvCJlm.ini not found! File C:\Windows\System32\klTvCJlm.ini2 not found! File C:\Windows\System32\mlJCvTlk.dll not found! File C:\Windows\System32\pqjeydqo.dll not found! File C:\Windows\System32\qnbshz.dll not found! File C:\Windows\System32\xmfrgq.dll not found! [Files/Folders - Modified Within 30 days] File C:\Windows\System32\ddcAsrSj.dll not found! File C:\Windows\System32\fccCUkkI.dll not found! File C:\Windows\System32\iisxwyii.dll not found! File C:\Windows\System32\iiywxsii.ini not found! File C:\Windows\System32\ikbpdyce.dll not found! File C:\Windows\System32\klTvCJlm.ini not found! File C:\Windows\System32\klTvCJlm.ini2 not found! File C:\Windows\System32\mlJCvTlk.dll not found! File C:\Windows\System32\pqjeydqo.dll not found! File C:\Windows\System32\qnbshz.dll not found! File C:\Windows\System32\xmfrgq.dll not found! [Empty Temp Folders] File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_M5cmyuNDVYIdxkBWfCUA scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\fla8A40.tmp scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_5888_2 scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DF3756.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite scheduled to be deleted on reboot. File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl scheduled to be deleted on reboot. FireFox cache emptied. RecycleBin -> emptied. Explorer started successfully < End of fix log > OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11112008_013222 Files moved on Reboot... File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_M5cmyuNDVYIdxkBWfCUA not found! File C:\Users\Kamakzie\AppData\Local\Temp\fla8A40.tmp not found! C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_5888_2 moved successfully. C:\Users\Kamakzie\AppData\Local\Temp\~DF3756.tmp moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite moved successfully. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl moved successfully.

kahdah View Member Profile	Nov 11 2008, 08:43 PM Post #12
Forum Addict Group: HJT Team Coach Posts: 6,499 Joined: 27-October 06 From: Florida Member No.: 92,376	Sorry MalwareBytes and the Rsit logs I meant. -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

Kamakzie View Member Profile	Nov 11 2008, 10:10 PM Post #13
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	QUOTE(kahdah @ Nov 11 2008, 08:43 PM) Sorry MalwareBytes and the Rsit logs I meant. Can you link me to the programs and instructions? Thanks.

kahdah View Member Profile	Nov 11 2008, 10:17 PM Post #14
Forum Addict Group: HJT Team Coach Posts: 6,499 Joined: 27-October 06 From: Florida Member No.: 92,376	http://www.bleepingcomputer.com/forums/ind...t&p=1003062 After the Ot scan it instructions. -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

Kamakzie View Member Profile	Nov 11 2008, 11:25 PM Post #15
Member Group: Members Posts: 25 Joined: 15-June 08 Member No.: 216,507	Malwarebytes' Anti-Malware 1.30 Database version: 1387 Windows 6.0.6001 Service Pack 1 11/11/2008 11:15:43 PM mbam-log-2008-11-11 (23-15-43).txt Scan type: Quick Scan Objects scanned: 50022 Time elapsed: 3 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Windows\System32\fnpjreor.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Windows\System32\fnpjreor.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Windows\System32\roerjpnf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides