[hazak]

My computer desktop background is replaced by a warning message about spyware threat, this message says:
Warning ! Spyware threat detected on your PC. Your computer has several fatal errors due to spyware activity ...

At one time, before I performed the recommended scans in your 'pre hijackthis' thread, little cockroach looking animations would walk all over the screen but they are now gone. The message, and some of the pop-ups, however, are still there. Here is my HijackThis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:14 PM, on 4/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Adobe\PHOTOS~1\3.2\Apps\apdproxy.exe
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE
C:\WINDOWS\system32\lcntkldn.exe
C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe
C:\PROGRA~1\Google\GOOGLE~1\121128~1.546\GOOGLE~1.EXE
C:\PROGRA~1\SUPERA~1\SUPERA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\Thisisit\HIJACK~1.EXE

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\lcntkldn.exe DWram
O4 - HKLM\..\Run: [raokelol] rundll32.exe "C:\DOCUME~1\Anthony\LOCALS~1\Temp\pchfqkg.nls" WLEntryPoint
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Dcna] "C:\PROGRA~1\COMMON~1\PPPATC~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Bpvne] C:\WINDOWS\??sks\n?pdb.exe
O4 - HKCU\..\Run: [Nhxsckkf] "C:\Documents and Settings\Anthony\Application Data\??mantec\n?lookup.exe"
O4 - HKCU\..\Run: [uoif] C:\PROGRA~1\COMMON~1\uoif\uoifm.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [mhsnepsf] rundll32.exe "C:\WINDOWS\System32\sqmisoe.nls" WLEntryPoint
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntkldn.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207702850358
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ED227BD-6666-4735-83E3-47FA103615ED}: NameServer = 85.255.116.68,85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{2ED227BD-6666-4735-83E3-47FA103615ED}: NameServer = 85.255.116.68,85.255.112.117
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.117
O17 - HKLM\System\CS2\Services\Tcpip\..\{2ED227BD-6666-4735-83E3-47FA103615ED}: NameServer = 85.255.116.68,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.117
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: xLjDQvSTVpwf - {986FD717-32C5-7DBD-81E6-9EDE95CDEE5D} - C:\WINDOWS\system32\fpr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5437 bytes

[Advertisements]

And here is the "uninstall list" that you recommended I post....




Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe® Photoshop® Album Starter Edition 3.2
AVG Anti-Spyware 7.5
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Mozilla Firefox (2.0.0.13)
Nero Suite
Panda ActiveScan 2.0
RealPlayer
SUPERAntiSpyware Free Edition
Windows Installer 3.1 (KB893803)

[hazak]

And here is the "uninstall list" that you recommended I post....




Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe® Photoshop® Album Starter Edition 3.2
AVG Anti-Spyware 7.5
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Mozilla Firefox (2.0.0.13)
Nero Suite
Panda ActiveScan 2.0
RealPlayer
SUPERAntiSpyware Free Edition
Windows Installer 3.1 (KB893803)

[hazak]

Thanks in advance...

Edited by Rorschach112, 10 April 2008 - 08:19 AM.
Donations DONT get special privileges

[RatHat]

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading SELECT Show hidden files and folders.
• UNCHECK the Hide protected operating system files (recommended) option.
• UNCHECK the Hide extensions for known file types option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the box that says Include MD5
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Check the Radio button under Drivers for Non Microsoft
• Check the radio button under Rootkit Search for Yes
• Under Additional Scans check the following:
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Regards,
RatHat

[hazak]

I've been away for a little while-I'll be doing the prescribed work tonight and let you know how it went

[RatHat]

OK, no problem

[hazak]

Attached are the OTScanIt and the ComboFix logs...For some reason, the hijackthis log wouldn't upload so I will copy & paste below..



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:03 PM, on 4/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Adobe\PHOTOS~1\3.2\Apps\apdproxy.exe
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE
C:\WINDOWS\system32\lcntkldn.exe
C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe
C:\PROGRA~1\Google\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HIJACK~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\lcntkldn.exe DWram
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [cssfkeci] rundll32.exe "C:\DOCUME~1\Anthony\LOCALS~1\Temp\jbednhmrj.dll" WLEntryPoint
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Dcna] "C:\PROGRA~1\COMMON~1\PPPATC~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Bpvne] C:\WINDOWS\??sks\n?pdb.exe
O4 - HKCU\..\Run: [Nhxsckkf] "C:\Documents and Settings\Anthony\Application Data\??mantec\n?lookup.exe"
O4 - HKCU\..\Run: [uoif] C:\PROGRA~1\COMMON~1\uoif\uoifm.exe
O4 - HKLM\..\Policies\Explorer\Run: [mhsnepsf] rundll32.exe "C:\WINDOWS\System32\sqmisoe.nls" WLEntryPoint
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207702850358
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ED227BD-6666-4735-83E3-47FA103615ED}: NameServer = 85.255.116.68,85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{2ED227BD-6666-4735-83E3-47FA103615ED}: NameServer = 85.255.116.68,85.255.112.117
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.117
O17 - HKLM\System\CS2\Services\Tcpip\..\{2ED227BD-6666-4735-83E3-47FA103615ED}: NameServer = 85.255.116.68,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.68 85.255.112.117
O21 - SSODL: xLjDQvSTVpwf - {986FD717-32C5-7DBD-81E6-9EDE95CDEE5D} - C:\WINDOWS\system32\fpr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4396 bytes

Attached Files

•  log.txt   11.62KB   173 downloads
•  OTScanIt.Txt   119.28KB   134 downloads

[RatHat]

Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> lcntkldn.exe -> %SystemRoot%\system32\lcntkldn.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> g]eeV\mWhjlnspB -> %SystemRoot%\system32\lcntkldn.exe [C:\WINDOWS\system32\lcntkldn.exe DWram]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Bpvne -> %SystemRoot%\??sks\n?pdb.exe [C:\WINDOWS\??sks\n?pdb.exe]
YN -> Nhxsckkf -> %AppData%\??mantec\n?lookup.exe ["C:\Documents and Settings\Anthony\Application Data\??mantec\n?lookup.exe"]
YN -> uoif -> %SystemDrive%\PROGRA~1\COMMON~1\uoif\uoifm.exe [C:\PROGRA~1\COMMON~1\uoif\uoifm.exe]
< Run [HKEY_USERS\S-1-5-21-1708537768-789336058-1202660629-1003\] > -> HKEY_USERS\S-1-5-21-1708537768-789336058-1202660629-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Bpvne -> %SystemRoot%\??sks\n?pdb.exe [C:\WINDOWS\??sks\n?pdb.exe]
YN -> Dcna -> %SystemDrive%\PROGRA~1\COMMON~1\PPPATC~1\mshta.exe ["C:\PROGRA~1\COMMON~1\PPPATC~1\mshta.exe" -vt yazb]
YN -> Nhxsckkf -> %AppData%\??mantec\n?lookup.exe ["C:\Documents and Settings\Anthony\Application Data\??mantec\n?lookup.exe"]
YN -> uoif -> %SystemDrive%\PROGRA~1\COMMON~1\uoif\uoifm.exe [C:\PROGRA~1\COMMON~1\uoif\uoifm.exe]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {986FD717-32C5-7DBD-81E6-9EDE95CDEE5D} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\fpr.dll [xLjDQvSTVpwf]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\mhsnepsf -> rundll32.exe "C:\WINDOWS\System32\sqmisoe.nls" WLEntryPoint
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 10 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 10 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1708537768-789336058-1202660629-1003\] > -> HKEY_USERS\S-1-5-21-1708537768-789336058-1202660629-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 10 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {50BD5CDA-4BA8-4048-8FAA-763F222E41D8}[HKEY_LOCAL_MACHINE] -> ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx[Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 90 days]
NY -> -1737500906 -> %SystemDrive%\-1737500906
NY -> iW8.exe -> %SystemDrive%\iW8.exe
NY -> lilsesn.exe -> %SystemDrive%\lilsesn.exe
NY -> smp.bat -> %SystemDrive%\smp.bat
NY -> xbgme.exe -> %SystemDrive%\xbgme.exe
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> blackster.scr -> %SystemRoot%\System32\blackster.scr
NY -> crehcjid.dll -> %SystemRoot%\System32\crehcjid.dll
NY -> lcntkldn.exe -> %SystemRoot%\System32\lcntkldn.exe
NY -> WS2Fix.exe -> %SystemRoot%\System32\WS2Fix.exe
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> pelulkfu.dll -> %SystemRoot%\pelulkfu.dll
NY -> uoif -> %SystemRoot%\uoif
NY -> uprjiefj -> %SystemRoot%\uprjiefj
[Files/Folders - Modified Within 90 days]
NY -> xbgme.exe -> %SystemDrive%\xbgme.exe
[Extra Files]
C:\WINDOWS\system32\etfqtjta.drv
C:\WINDOWS\system32\jqhedrgrlbc.dll
C:\WINDOWS\system32\lpecakkacoh.nls
C:\WINDOWS\system32\winpfz33.sys
C:\gjtxc.exe
C:\Documents and Settings\Anthony\cftmon.exe
C:\WINDOWS\uprjiefj
C:\Documents and Settings\All Users\Application Data\qhofkfcd.dll
C:\WINDOWS\system32\LAE1F.tmp
C:\WINDOWS\system32\LE6F9.tmp
Purity
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display the results if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop as Kaspersky.txt.
• Copy and paste that information in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the results from OTScanIt, the MBAM log and Kaspersky.txt.

Also please post the contents into your reply as opposed to attaching the files, it makes it a lot easier for me to research the contents.

Regards,
RatHat

[hazak]

When I click on the "Run Fix" button, it gets stuck toward the end at :

NY -> pelulkfu.dll -> %SystemRoot%\pelulkfu.dll
NY -> uoif -> %SystemRoot%\uoif
NY -> uprjiefj -> %SystemRoot%\uprjiefj
[Files/Folders - Modified Within 90 days]
NY -> xbgme.exe -> %SystemDrive%\xbgme.exe
[Extra Files]
C:\WINDOWS\system32\etfqtjta.drv
C:\WINDOWS\system32\jqhedrgrlbc.dll
C:\WINDOWS\system32\lpecakkacoh.nls
C:\WINDOWS\system32\winpfz33.sys
C:\gjtxc.exe
C:\Documents and Settings\Anthony\cftmon.exe
C:\WINDOWS\uprjiefj
C:\Documents and Settings\All Users\Application Data\qhofkfcd.dll
C:\WINDOWS\system32\LAE1F.tmp
C:\WINDOWS\system32\LE6F9.tmp
Purity
[Empty Temp Folders]



I waited for it to move but it wouldn't so I eventually had to turn my computer off and back on and try it again. Did I mess something up??

[RatHat]

Could you run MBAM and then the Kaspersky scan, and post me those logs, then we will see what was missed.

Thanks,
RatHat

[hazak]

I'll be responding tonight-have been out of commission...

[RatHat]

OK, no problem.

[RatHat]

Do you still require assistance with this log?

Regards,
RatHat

[hazak]

I'M CURED!!!!!!!! Thank you so much. OK, how and where do I donate!? Thanks RatHat. Thanks Geeks To Go! I'm online again!

[RatHat]

Could you run the Kaspersky scan, and post me the log so that I can ensure you really are cured.

Regards,
RatHat