See Anything I Missed?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by deercreek, Nov 10, 2006.

  1. deercreek

    deercreek Private E-2

    Hi. I've been having tons of fun this week. I used Add or Remove Programs to get rid of what I think caused YazzleSoduku to keep coming back. I ran CCleaner. I ran the Microsoft Windows Malware tool and it came back clean. I ran Spybot Search and Destroy and Smitfraud-C.Toolbar888 keeps coming back. I did a full scan with Microsoft Windows Defender and it showed Toolbar888 as well. I ran the Bitdefender online scan and it found three really old emails with viruses, so I manually deleted those. It also found Trojan.Downloader.BKK, which is something else I keep finding.

    I've attached my Bitdefender log, HijackThis log, GetRunKey log, and ShowNew log. Any help would be greatly appreciated.
     

    Attached Files:

  2. deercreek

    deercreek Private E-2

    Here's my HijackThis log. Thanks again.
     

    Attached Files:

  3. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download VundoFix.exe to your desktop. Reboot into Safe Mode and run the below.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
     
  4. deercreek

    deercreek Private E-2

    Thanks for the response. Here's the new logs.
     

    Attached Files:

  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Pocket KillBox
    • Save it to your desktop or a place easy to find.
    • Do not run it yet
    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: (no name) - {084E544B-1839-548C-DCB4-03C0E674CC2E} - C:\WINDOWS\system32\akylatg.dll
    O2 - BHO: (no name) - {0C8E4E58-4EE1-5D39-2DE3-08180F2DB9B0} - C:\WINDOWS\system32\ytortnc.dll (file missing)
    O2 - BHO: (no name) - {1F54808E-21CE-2746-7289-027310EC217D} - C:\WINDOWS\system32\emzybmj.dll (file missing)
    O2 - BHO: (no name) - {24D23F25-B8F0-84AC-0925-0950A9830DD7} - C:\WINDOWS\system32\sqqqlbl.dll (file missing)
    O2 - BHO: (no name) - {2C08A715-5777-49E4-EE03-04EB9211FBE8} - C:\WINDOWS\system32\zzaooji.dll (file missing)
    O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\tubmnawb.dll (file missing)
    O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\ssqqqqr.dll

    O4 - HKLM\..\Run: [fkzggpb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fkzggpb.dll,xfcxgkc
    O4 - HKLM\..\Run: [vmhuzqf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vmhuzqf.dll,eoblaf
    O4 - HKLM\..\Run: [ycueksj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ycueksj.dll,qxhdtn
    O4 - HKLM\..\Run: [wmcuhy.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wmcuhy.dll,yzczmye
    O4 - HKLM\..\Run: [pzorjmk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pzorjmk.dll,ussnrdc
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    O20 - Winlogon Notify: ssqqqqr - C:\WINDOWS\SYSTEM32\ssqqqqr.dll

    Again, make sure ALL browser windows are closed when you click FIX.

    Next, run CCleaner to clean up cookies and temp files.

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

    ** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    After you complete the above, REBOOT and proceed with the rest of this fix...

    Final Step...

    Reset Web Settings & Default Security Settings:

    To Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


    To Default Security Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

    Once you complete this post, reboot and attach a fresh HJT log.
     
  6. deercreek

    deercreek Private E-2

    Here's my latest log. Thanks again.
     

    Attached Files:

  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Okay let's start by downloading two tools we will need:

    - Process Explorer 10.21

    - Pocket KillBox

    Extract them to there own folder somewhere that you will be able to locate them later.

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of mllmj.dll & xllnfuqv.dll once and then click the kill button. After you have killed all of the mllmj.dll & xllnfuqv.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of mllmj.dll & xllnfuqv.dll and kill it.

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {63DE5A4D-DC92-4CA5-BAFC-6704794776B7} - C:\WINDOWS\system32\mllmj.dll
    O2 - BHO: (no name) - {EB216B76-DEFB-428A-AC4D-C6A43B022737} - C:\WINDOWS\system32\jkhhi.dll (file missing)
    O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\xllnfuqv.dll

    O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll


    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


    C:\WINDOWS\SYSTEM32\jmllm.ini
    C:\WINDOWS\SYSTEM32\jmllm.ini2
    C:\WINDOWS\SYSTEM32\jmllm.bak
    C:\WINDOWS\SYSTEM32\jmllm.bak1
    C:\WINDOWS\SYSTEM32\jmllm.bak2
    C:\WINDOWS\SYSTEM32\jmllm.tmp
    C:\WINDOWS\system32\mllmj.dll
    C:\WINDOWS\system32\xllnfuqv.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot post a new HJT log.
     
  8. deercreek

    deercreek Private E-2

    Done. Here's a fresh log.
     

    Attached Files:

  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Have HJT fix the below entry, afterwards your log will be clean.

    Are you having any further problems?

     
  10. deercreek

    deercreek Private E-2

    Everything seems to be working great now. Thank you very much for all the help.
     
  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds