[harrythook]

Hey djprofit,
I am working on it, but got called out of town for work today
I'll post a fix either tonight or first thing in the morning

Harry

[Advertisements]

There is no rush. I am at work as well. Thanks.

[djprofit]

There is no rush. I am at work as well. Thanks.

[harrythook]

Hi djprofit,
sorry for the delay. Your machine is seriously infected there.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you chose to go forward with cleaning the machine, do this:

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> BM33d6f161 -> %SystemRoot%\system32\lwyestqy.dll [Rundll32.exe "C:\WINDOWS\system32\lwyestqy.dll",s]
YN -> IEUpdate -> %SystemRoot%\system32\12520850k.exe [C:\WINDOWS\system32\12520850k.exe]
YY -> lphc762j0eaep -> %SystemRoot%\system32\lphc762j0eaep.exe [C:\WINDOWS\system32\lphc762j0eaep.exe]
< RunServices [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
YN -> IEUpdate -> %SystemRoot%\system32\12520850k.exe [C:\WINDOWS\system32\12520850k.exe]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Esbh -> %SystemRoot%\system32\PPATCH~1\wuaclt.exe ["C:\WINDOWS\system32\PPATCH~1\wuaclt.exe" -vt yazb]
YN -> IEUpdate -> %SystemRoot%\system32\12520850k.exe [C:\WINDOWS\system32\12520850k.exe]
YN -> Ixqjiux -> %ProgramFiles%\Mіcrosoft\аti2evxx.exe ["C:\Program Files\Mіcrosoft\аti2evxx.exe"]
< RunServices [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
YN -> IEUpdate -> %SystemRoot%\system32\12520850k.exe [C:\WINDOWS\system32\12520850k.exe]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> nnnnNGYS -> nnnnNGYS.dll
YN -> WinCtrl32 -> WinCtrl32.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {00110011-4b0b-44d5-9718-90c88817369b} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {086ae192-23a6-48d6-96ec-715f53797e85} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {150fa160-130d-451f-b863-b655061432ba} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {2d38a51a-23c9-48a1-a33c-48675aa2b494} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {2e9caff6-30c7-4208-8807-e79d4ec6f806} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5321e378-ffad-4999-8c62-03ca8155f0b3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {587dbf2d-9145-4c9e-92c2-1f953da73773} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {79369d5c-2903-4b7a-ade2-d5e0dee14d24} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {799a370d-5993-4887-9df7-0a4756a77d00} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {98dbbf16-ca43-4c33-be80-99e6694468a4} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {a55581dc-2cdb-4089-8878-71a080b22342} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {b847676d-72ac-4393-bfff-43a1eb979352} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {bc97b254-b2b9-4d40-971d-78e0978f5f26} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {cf021f40-3e14-23a5-cba2-717765721306} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {e2ddf680-9905-4dee-8c64-0a5de7fe133c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {e7afff2a-1b57-49c7-bf6b-e5123394c970} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {fd9bc004-8331-4457-b830-4759ff704c22} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> 327882R2FWJFW -> %SystemDrive%\327882R2FWJFW
NY -> jjbmnktq.exe -> %SystemRoot%\System32\jjbmnktq.exe
NY -> lphc762j0eaep.exe -> %SystemRoot%\System32\lphc762j0eaep.exe
NY -> clrssn.exe -> %SystemRoot%\clrssn.exe
NY -> funniest.exe -> %SystemRoot%\funniest.exe
NY -> funny.exe -> %SystemRoot%\funny.exe
NY -> loader.exe -> %SystemRoot%\loader.exe
NY -> sistem.exe -> %SystemRoot%\sistem.exe
NY -> svcinit.exe -> %SystemRoot%\svcinit.exe
NY -> systeem.exe -> %SystemRoot%\systeem.exe
NY -> systemcritical.exe -> %SystemRoot%\systemcritical.exe
NY -> time.exe -> %SystemRoot%\time.exe
NY -> users32.exe -> %SystemRoot%\users32.exe
NY -> win32e.exe -> %SystemRoot%\win32e.exe
NY -> win64.exe -> %SystemRoot%\win64.exe
NY -> winmgnt.exe -> %SystemRoot%\winmgnt.exe
NY -> x.exe -> %SystemRoot%\x.exe
NY -> y.exe -> %SystemRoot%\y.exe
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> ?ystem -> %UserProfile%\My Documents\ѕystem
NY -> HJ.exe -> %UserProfile%\Desktop\HJ.exe
[Files/Folders - Modified Within 30 days]
NY -> 327882R2FWJFW -> %SystemDrive%\327882R2FWJFW
NY -> jjbmnktq.exe -> %SystemRoot%\System32\jjbmnktq.exe
NY -> lphc762j0eaep.exe -> %SystemRoot%\System32\lphc762j0eaep.exe

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here .

Lets try downloading Combofix again, and see if it runs now. Allow the download to replace anything thats on your machine if asked. It is important to follow the instructions about your antivirus.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Harry

[djprofit]

Harry:

Thanks for letting me know how messed up my computer truly was. I have changed all my passwords on a secure computer connection (Thanks Pentagon) and am going to have the machine rebuilt. I appreciate your help and thank you for your time.

[harrythook]

Sorry djprofit,
I do not like this type of ending.
If you need further help, or get stuck in the rebuild process send me a note.

Harry