BleepingComputer.com: Vundoo and Maybe AntiVirus 2008

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Vundoo and Maybe AntiVirus 2008

#1 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 10 November 2008 - 08:21 PM

Might need you guys again. I think I ran some crap I shouldn't have and Search and Destroy is going fruity. Here is the hijack log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:52 PM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\BMExtreme\BMExtreme.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\FlashGet\flashget.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\wdisplay\WeatherD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Easy Ejector\cdeject.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Kamakzie\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WUHU\WUHU.exe
C:\Program Files\BORGChat\BORGChat.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSettingsService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVNetworkService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSchedulerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\ircN\SYSTEM\mirc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVD3DShell.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\OBroker.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: (no name) - {2B9B3748-46B0-4898-809A-99551708C983} - C:\Windows\system32\mlJCvTlk.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\Program Files\Virtual Account Numbers\BhoCitUS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AD204A12-B816-4AE3-A331-EB98CA9368E2} - C:\Windows\system32\yayyvwUm.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [BMExtreme] "C:\Program Files\BMExtreme\BMExtreme.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [Flashget] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Citi Virtual Account Numbers] "C:\PROGRA~1\VIRTUA~1\CitiVAN.exe" /lang=en_RG /dontopenmycards
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SweetIM] "C:\Program Files\SweetIM\Messenger\SweetIM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\fccCUkkI.dll,#1
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [HomeAlarm] "C:\Program Files\Chameleon Clock\ChamClock.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Delphi 3#Autostart] "C:\wdisplay\WeatherD.exe"
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cdeject] "C:\Program Files\Easy Ejector\cdeject.exe" /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Kamakzie\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: BORGChat.lnk = C:\Program Files\BORGChat\BORGChat.exe
O4 - Global Startup: Alt.Binz.lnk = C:\Program Files\AltBinz\altbinz.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Beyond TV.lnk = C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WUHU Weather.lnk = C:\Program Files\WUHU\WUHU.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Virtual Account Numbers - {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
O9 - Extra button: Loki - {71723167-B414-4a79-81D6-ACA7B85BB52E} - C:\Program Files\Skyhook Wireless\Loki\LokiPlugin.dll (HKCU)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mlb.com
O15 - Trusted Zone: http://www.time.gov
O15 - Trusted IP range: http://24.236.250.155
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} (CAxMP4Dec Class) - http://24.236.250.155:8085/activex/decoder...l_mpeg4_dec.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://24.236.250.155:8085/activex/AMC.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: qnbshz.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Chameleon Clock Set Time for Vista (ChamClock Set Time Service for Vista) - Unknown owner - C:\Program Files\Chameleon Clock\settime.exe
O23 - Service: CLHNService3 - Unknown owner - C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe

--
End of file - 16966 bytes

#2 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 10 November 2008 - 08:46 PM

Hello Kamakzie

Welcome to BleepingComputer :thumbsup:
========================
Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
===========================================
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
      Reg - BotCheck
      File - Additional Folder Scans
      FIle - Lop check
      File - Purity Scan
      Under Basic scans:
      Rootkit Search -Yes
      Drivers -Non Microsoft

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Attach the information back here. I will review it when it comes in.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 10 November 2008 - 09:43 PM

Crap it was too big to attach here. Any suggestions? Its 765k.

#4 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 10 November 2008 - 09:45 PM

Click Here to upload the file please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 10 November 2008 - 09:48 PM

View Postkahdah, on Nov 10 2008, 09:45 PM, said:

Click Here to upload the file please.


Thanks file submitted.

#6 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 10 November 2008 - 10:01 PM

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> MSServer -> %SystemRoot%\System32\fccCUkkI.dll [rundll32.exe C:\Windows\system32\fccCUkkI.dll,#1]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> qnbshz.dll -> %SystemRoot%\System32\qnbshz.dll
YY -> xmfrgq.dll -> %SystemRoot%\System32\xmfrgq.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {81EA3F36-357A-435A-8741-52C27CCC9F21} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\awttqrQI.dll []
YY -> {9950772D-AF73-4AEA-80B6-C251EC40EA30} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\fccCUkkI.dll []
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {AD204A12-B816-4AE3-A331-EB98CA9368E2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\yayyvwUm.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {ddd47634-7acc-4545-800d-b47631ea31d2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\xmfrgq.dll [Reg Error: Value  does not exist or could not be read.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\Windows\system32\mlJCvTlk -> %SystemRoot%\System32\mlJCvTlk.dll
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> ddcAsrSj.dll -> %SystemRoot%\System32\ddcAsrSj.dll
NY -> fccCUkkI.dll -> %SystemRoot%\System32\fccCUkkI.dll
NY -> iisxwyii.dll -> %SystemRoot%\System32\iisxwyii.dll
NY -> iiywxsii.ini -> %SystemRoot%\System32\iiywxsii.ini
NY -> ikbpdyce.dll -> %SystemRoot%\System32\ikbpdyce.dll
NY -> klTvCJlm.ini -> %SystemRoot%\System32\klTvCJlm.ini
NY -> klTvCJlm.ini2 -> %SystemRoot%\System32\klTvCJlm.ini2
NY -> mlJCvTlk.dll -> %SystemRoot%\System32\mlJCvTlk.dll
NY -> pqjeydqo.dll -> %SystemRoot%\System32\pqjeydqo.dll
NY -> qnbshz.dll -> %SystemRoot%\System32\qnbshz.dll
NY -> xmfrgq.dll -> %SystemRoot%\System32\xmfrgq.dll
[Files/Folders - Modified Within 30 days]
NY -> ddcAsrSj.dll -> %SystemRoot%\System32\ddcAsrSj.dll
NY -> fccCUkkI.dll -> %SystemRoot%\System32\fccCUkkI.dll
NY -> iisxwyii.dll -> %SystemRoot%\System32\iisxwyii.dll
NY -> iiywxsii.ini -> %SystemRoot%\System32\iiywxsii.ini
NY -> ikbpdyce.dll -> %SystemRoot%\System32\ikbpdyce.dll
NY -> klTvCJlm.ini -> %SystemRoot%\System32\klTvCJlm.ini
NY -> klTvCJlm.ini2 -> %SystemRoot%\System32\klTvCJlm.ini2
NY -> mlJCvTlk.dll -> %SystemRoot%\System32\mlJCvTlk.dll
NY -> pqjeydqo.dll -> %SystemRoot%\System32\pqjeydqo.dll
NY -> qnbshz.dll -> %SystemRoot%\System32\qnbshz.dll
NY -> xmfrgq.dll -> %SystemRoot%\System32\xmfrgq.dll
[Empty Temp Folders]
[Start Explorer]


The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
=================================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
============
Then:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 10 November 2008 - 10:33 PM

Spybot S&D is trying to block some things.

Here is the info the other program spit out after I ran it.


Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll
C:\Windows\System32\fccCUkkI.dll NOT unregistered.
File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:qnbshz.dll deleted successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\qnbshz.dll
C:\Windows\System32\qnbshz.dll NOT unregistered.
C:\Windows\System32\qnbshz.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:xmfrgq.dll deleted successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\xmfrgq.dll
C:\Windows\System32\xmfrgq.dll NOT unregistered.
C:\Windows\System32\xmfrgq.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{81EA3F36-357A-435A-8741-52C27CCC9F21} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81EA3F36-357A-435A-8741-52C27CCC9F21}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{9950772D-AF73-4AEA-80B6-C251EC40EA30} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9950772D-AF73-4AEA-80B6-C251EC40EA30}\ deleted successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll
C:\Windows\System32\fccCUkkI.dll NOT unregistered.
File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddd47634-7acc-4545-800d-b47631ea31d2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ddd47634-7acc-4545-800d-b47631ea31d2}\ deleted successfully.
File C:\Windows\System32\xmfrgq.dll not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\Windows\system32\mlJCvTlk deleted successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\mlJCvTlk.dll
C:\Windows\System32\mlJCvTlk.dll NOT unregistered.
C:\Windows\System32\mlJCvTlk.dll moved successfully.
[Files/Folders - Created Within 30 days]
DllUnregisterServer procedure not found in C:\Windows\System32\ddcAsrSj.dll
C:\Windows\System32\ddcAsrSj.dll NOT unregistered.
C:\Windows\System32\ddcAsrSj.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll
C:\Windows\System32\fccCUkkI.dll NOT unregistered.
File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\System32\iisxwyii.dll
C:\Windows\System32\iisxwyii.dll NOT unregistered.
C:\Windows\System32\iisxwyii.dll moved successfully.
C:\Windows\System32\iiywxsii.ini moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\ikbpdyce.dll
C:\Windows\System32\ikbpdyce.dll NOT unregistered.
C:\Windows\System32\ikbpdyce.dll moved successfully.
C:\Windows\System32\klTvCJlm.ini moved successfully.
C:\Windows\System32\klTvCJlm.ini2 moved successfully.
File C:\Windows\System32\mlJCvTlk.dll not found!
DllUnregisterServer procedure not found in C:\Windows\System32\pqjeydqo.dll
C:\Windows\System32\pqjeydqo.dll NOT unregistered.
C:\Windows\System32\pqjeydqo.dll moved successfully.
File C:\Windows\System32\qnbshz.dll not found!
File C:\Windows\System32\xmfrgq.dll not found!
[Files/Folders - Modified Within 30 days]
File C:\Windows\System32\ddcAsrSj.dll not found!
DllUnregisterServer procedure not found in C:\Windows\System32\fccCUkkI.dll
C:\Windows\System32\fccCUkkI.dll NOT unregistered.
File move failed. C:\Windows\System32\fccCUkkI.dll scheduled to be moved on reboot.
File C:\Windows\System32\iisxwyii.dll not found!
File C:\Windows\System32\iiywxsii.ini not found!
File C:\Windows\System32\ikbpdyce.dll not found!
File C:\Windows\System32\klTvCJlm.ini not found!
File C:\Windows\System32\klTvCJlm.ini2 not found!
File C:\Windows\System32\mlJCvTlk.dll not found!
File C:\Windows\System32\pqjeydqo.dll not found!
File C:\Windows\System32\qnbshz.dll not found!
File C:\Windows\System32\xmfrgq.dll not found!
[Empty Temp Folders]
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk-journal scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_krXUlRgCwhFLML61uoMm scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_7280_2 scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DF4D9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DFB27E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DFB690.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\OfflineCache\index.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11102008_221839

Files moved on Reboot...
C:\Windows\System32\fccCUkkI.dll moved successfully.
File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk not found!
File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_6QKybIAbNCNcSL5M6kFk-journal not found!
File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_krXUlRgCwhFLML61uoMm not found!
C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_7280_2 moved successfully.
File C:\Users\Kamakzie\AppData\Local\Temp\~DF4D9.tmp not found!
File C:\Users\Kamakzie\AppData\Local\Temp\~DFB27E.tmp not found!
File C:\Users\Kamakzie\AppData\Local\Temp\~DFB690.tmp not found!
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\OfflineCache\index.sqlite moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl moved successfully.

Attached File(s)


#8 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 11 November 2008 - 12:36 AM

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
=======
Then please proceed with MalwareBYtes and the Rsit tool
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 11 November 2008 - 02:46 AM

Thanks I think all is well again.

#10 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 11 November 2008 - 07:18 AM

Hi I will need to have those scan results to determine whether or not you are clean.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 11 November 2008 - 11:54 AM

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
File C:\Windows\System32\fccCUkkI.dll not found.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:qnbshz.dll .
File C:\Windows\System32\qnbshz.dll not found.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:xmfrgq.dll .
File C:\Windows\System32\xmfrgq.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{81EA3F36-357A-435A-8741-52C27CCC9F21} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81EA3F36-357A-435A-8741-52C27CCC9F21}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{9950772D-AF73-4AEA-80B6-C251EC40EA30} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9950772D-AF73-4AEA-80B6-C251EC40EA30}\ deleted successfully.
File C:\Windows\System32\fccCUkkI.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD204A12-B816-4AE3-A331-EB98CA9368E2}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddd47634-7acc-4545-800d-b47631ea31d2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ddd47634-7acc-4545-800d-b47631ea31d2}\ not found.
File C:\Windows\System32\xmfrgq.dll not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\Windows\system32\mlJCvTlk deleted successfully.
File C:\Windows\System32\mlJCvTlk.dll not found.
[Files/Folders - Created Within 30 days]
File C:\Windows\System32\ddcAsrSj.dll not found!
File C:\Windows\System32\fccCUkkI.dll not found!
File C:\Windows\System32\iisxwyii.dll not found!
File C:\Windows\System32\iiywxsii.ini not found!
File C:\Windows\System32\ikbpdyce.dll not found!
File C:\Windows\System32\klTvCJlm.ini not found!
File C:\Windows\System32\klTvCJlm.ini2 not found!
File C:\Windows\System32\mlJCvTlk.dll not found!
File C:\Windows\System32\pqjeydqo.dll not found!
File C:\Windows\System32\qnbshz.dll not found!
File C:\Windows\System32\xmfrgq.dll not found!
[Files/Folders - Modified Within 30 days]
File C:\Windows\System32\ddcAsrSj.dll not found!
File C:\Windows\System32\fccCUkkI.dll not found!
File C:\Windows\System32\iisxwyii.dll not found!
File C:\Windows\System32\iiywxsii.ini not found!
File C:\Windows\System32\ikbpdyce.dll not found!
File C:\Windows\System32\klTvCJlm.ini not found!
File C:\Windows\System32\klTvCJlm.ini2 not found!
File C:\Windows\System32\mlJCvTlk.dll not found!
File C:\Windows\System32\pqjeydqo.dll not found!
File C:\Windows\System32\qnbshz.dll not found!
File C:\Windows\System32\xmfrgq.dll not found!
[Empty Temp Folders]
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\etilqs_M5cmyuNDVYIdxkBWfCUA scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\fla8A40.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_5888_2 scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Temp\~DF3756.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11112008_013222

Files moved on Reboot...
File C:\Users\Kamakzie\AppData\Local\Temp\etilqs_M5cmyuNDVYIdxkBWfCUA not found!
File C:\Users\Kamakzie\AppData\Local\Temp\fla8A40.tmp not found!
C:\Users\Kamakzie\AppData\Local\Temp\ppcrlui_5888_2 moved successfully.
C:\Users\Kamakzie\AppData\Local\Temp\~DF3756.tmp moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\urlclassifier3.sqlite moved successfully.
C:\Users\Kamakzie\AppData\Local\Mozilla\Firefox\Profiles\ucpxg7yk.default\XUL.mfl moved successfully.

#12 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 11 November 2008 - 08:43 PM

Sorry MalwareBytes and the Rsit logs I meant.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 11 November 2008 - 10:10 PM

View Postkahdah, on Nov 11 2008, 08:43 PM, said:

Sorry MalwareBytes and the Rsit logs I meant.


Can you link me to the programs and instructions? Thanks.

#14 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 11 November 2008 - 10:17 PM

http://www.bleepingcomputer.com/forums/ind...t&p=1003062

After the Ot scan it instructions.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 User is offline   Kamakzie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 15-June 08

Posted 11 November 2008 - 11:25 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1387
Windows 6.0.6001 Service Pack 1

11/11/2008 11:15:43 PM
mbam-log-2008-11-11 (23-15-43).txt

Scan type: Quick Scan
Objects scanned: 50022
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\fnpjreor.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\fnpjreor.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\roerjpnf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users