Jump to content

XP Security 2011 - xjl.exe


AMo
 Share

Recommended Posts

Hello,

I'm looking for some help on how to rid my computer of the XP Security 2011 virus. This appears in my Task Manager Image Name as xjl.exe. So far I have tried to download all the latest versions of rkill. Here are the results. When I attempt to run in a non safe mode I get the following userinit.exe promp, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Same prompt if I try and run mbam.exe. If I boot in safe mode I get the following results. explorer.exe, WiNlOgOn.exe, iExplore.exe, rkill.exe, uSeRiNiT.exe, and mbam.exe all trigger xjl.exe and will not run. rkill.scr runs notepad, but does nothing. rkill.com will run in safemode but will not kill xjl.exe so I can run mbam.exe. Right before the notepad comes up with the rkill results a dos promp pops up quick and disappears stating, "sed.exe: can't read C:\DOCUME~1\Jessica\LOCALS~1\Temp\rks1.log: No such file or directory. I've also tryed downloading rkill.exe from my phone, moving to my computer and running it, as well as running directy from my phone as an external drive. Still, the same cannot access the specified device... prompt.

Thanks for any help you can provide.

Link to post
Share on other sites

Welcome to the forum.

Enable hidden files:

http://www.howtogeek.com/howto/windows/display-hidden-folders-in-xp/

See if you can delete xjl.exe: it should be located somewhere like this:

C:\Documents and Settings\"user name"\Local Settings\Application Data\xjl.exe

see if this helps:

Carefully read and follow this Guide.

Make sure you run rkill and then immediately run MBAM as desribed.

Most important....update MBAM before you run it.

----------------------

See if you can run OTL:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

MrC, Thank you for your assistance.

I'm not exactly sure what happened here. I ran rkill multiple times on 4/7/11 with what seemed like no success. However on 4/8/11 my first attempt back into it was to see if I could open any programs which would not open the day before. Rather that getting an error message, I got a programs list to select what to run the program with. I was able to browse to the program files and open, update, and run mbam.exe. I ran mbam multiple times, each time found multiple objects infected. I removed them and ran the OTL.exe. Attached are the text files from the results. These issues seem to be reoccuring more frequently as of late, after we had an IT Specialist recover and install some different free spycatcher program. I'm strongly considering unistalling everthing he put on and purchasing the full registered version of mbam. What would be the benifits of having the full version, and would it prevent these viruses from repeatedly poping on? Thanks again for your help.

Welcome to the forum.

Enable hidden files:

http://www.howtogeek.com/howto/windows/display-hidden-folders-in-xp/

See if you can delete xjl.exe: it should be located somewhere like this:

C:\Documents and Settings\"user name"\Local Settings\Application Data\xjl.exe

see if this helps:

Carefully read and follow this Guide.

Make sure you run rkill and then immediately run MBAM as desribed.

Most important....update MBAM before you run it.

----------------------

See if you can run OTL:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

OTL_110408.Txt

Extras_110408.Txt

Link to post
Share on other sites

Please create a new system restore point before dunning OTL.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No CLSID value found.
    O2 - BHO: (no name) - {CA2FCEA7-0666-21B4-4293-58C0A55C06E7} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-2700284664-2585570681-2036073086-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-2700284664-2585570681-2036073086-1006\..\Toolbar\ShellBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O3 - HKU\S-1-5-21-2700284664-2585570681-2036073086-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O4 - HKLM..\Run: [Tmaget] C:\WINDOWS\ixoyukej.dll ()
    O4 - HKU\.DEFAULT..\Run: [] File not found
    O4 - HKU\.DEFAULT..\Run: [Sen] File not found
    O4 - HKU\.DEFAULT..\Run: [Ywciojk] File not found
    O4 - HKU\S-1-5-18..\Run: [] File not found
    O4 - HKU\S-1-5-18..\Run: [Sen] File not found
    O4 - HKU\S-1-5-18..\Run: [Ywciojk] File not found
    O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] File not found
    O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] File not found
    O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
    O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
    [2011/04/09 00:57:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\hOi10601gEkBl10601
    [2011/04/07 18:26:46 | 000,011,342 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2738145062
    [2011/04/07 20:52:27 | 000,011,458 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
    [2011/04/07 20:52:27 | 000,011,458 | -HS- | M] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
    [2011/04/03 10:22:35 | 000,011,458 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
    [2011/04/02 22:02:29 | 000,001,368 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
    [2011/04/07 18:26:46 | 000,011,338 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4064715361
    [2011/04/07 18:26:46 | 000,011,338 | -HS- | M] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\4064715361
    [2011/03/08 17:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\jPiIpPb10602
    [2011/04/09 00:00:28 | 000,004,752 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\e8010lu874aguygbc
    [2011/03/13 02:29:45 | 000,000,020 | ---- | M] () -- C:\WINDOWS\IXOYUKEJ.DLL
    [2011/04/08 22:52:39 | 000,004,752 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\e8010lu874aguygbc
    [2011/04/08 16:12:04 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\e8010lu874aguygbc
    [2011/04/07 18:26:45 | 000,011,342 | -HS- | C] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\2738145062
    [2011/04/05 20:34:45 | 000,011,342 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2738145062
    [2011/03/20 09:11:37 | 000,010,108 | -HS- | C] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\8q1gjv45b1b2ny58w4voq16g4u2
    [2011/03/19 21:48:02 | 000,012,028 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\8q1gjv45b1b2ny58w4voq16g4u2
    [2011/03/22 18:09:58 | 000,010,108 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8q1gjv45b1b2ny58w4voq16g4u2

    [2011/01/21 16:19:36 | 000,000,000 | ---D | M](C:\WINDOWS\System32\a?sembly) -- C:\WINDOWS\System32\a?sembly
    [2007/02/11 15:11:18 | 000,000,000 | ---D | M](C:\Program Files\Common Files\?ppPatch) -- C:\Program Files\Common Files\?ppPatch
    [2007/02/11 15:11:18 | 000,000,000 | ---D | M](C:\Program Files\Common Files\?ppPatch) -- C:\Program Files\Common Files\?ppPatch
    [2007/02/10 14:54:44 | 000,000,000 | ---D | M](C:\WINDOWS\System32\S?mantec) -- C:\WINDOWS\System32\S?mantec
    [2007/02/06 23:13:28 | 000,000,000 | ---D | M](C:\WINDOWS\System32\?icrosoft) -- C:\WINDOWS\System32\?icrosoft
    [2007/02/06 23:13:28 | 000,000,000 | ---D | C](C:\WINDOWS\System32\?icrosoft) -- C:\WINDOWS\System32\?icrosoft
    [2007/02/04 19:18:53 | 000,000,000 | ---D | M](C:\Program Files\Common Files\?ppPatch\?ppPatch) -- C:\Program Files\Common Files\?ppPatch\?ppPatch
    [2007/02/01 18:53:19 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ssembly) -- C:\Documents and Settings\Jessica\Application Data\?ssembly
    [2007/02/01 18:53:19 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ssembly) -- C:\Documents and Settings\Jessica\Application Data\?ssembly
    [2007/01/21 13:09:21 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\F?nts) -- C:\Documents and Settings\Jessica\Application Data\F?nts
    [2007/01/21 13:09:21 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\F?nts) -- C:\Documents and Settings\Jessica\Application Data\F?nts
    [2007/01/05 20:27:21 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ymbols) -- C:\Documents and Settings\Jessica\Application Data\?ymbols
    [2007/01/05 20:27:21 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ymbols) -- C:\Documents and Settings\Jessica\Application Data\?ymbols
    [2007/01/02 07:47:07 | 000,000,000 | ---D | M](C:\Program Files\Common Files\s?stem32) -- C:\Program Files\Common Files\s?stem32
    [2007/01/02 07:47:07 | 000,000,000 | ---D | M](C:\Program Files\Common Files\s?stem32) -- C:\Program Files\Common Files\s?stem32
    [2006/12/18 12:01:07 | 000,000,000 | ---D | M](C:\WINDOWS\System32\??sks) -- C:\WINDOWS\System32\??sks
    [2006/12/18 12:01:07 | 000,000,000 | ---D | C](C:\WINDOWS\System32\??sks) -- C:\WINDOWS\System32\??sks
    [2006/12/14 00:14:00 | 000,000,000 | ---D | M](C:\Program Files\Common Files\??stem) -- C:\Program Files\Common Files\??stem
    [2006/12/14 00:14:00 | 000,000,000 | ---D | M](C:\Program Files\Common Files\??stem) -- C:\Program Files\Common Files\??stem
    [2006/12/11 23:16:58 | 000,000,000 | ---D | M](C:\Program Files\Common Files\?racle) -- C:\Program Files\Common Files\?racle
    [2006/12/11 23:16:58 | 000,000,000 | ---D | M](C:\Program Files\Common Files\?racle) -- C:\Program Files\Common Files\?racle
    [2006/12/06 14:19:21 | 000,000,000 | ---D | M](C:\WINDOWS\System32\?dobe) -- C:\WINDOWS\System32\?dobe
    [2006/12/06 14:19:21 | 000,000,000 | ---D | C](C:\WINDOWS\System32\?dobe) -- C:\WINDOWS\System32\?dobe
    [2006/11/27 07:02:28 | 000,000,000 | ---D | M](C:\WINDOWS\?ystem) -- C:\WINDOWS\?ystem
    [2006/11/27 07:02:28 | 000,000,000 | ---D | C](C:\WINDOWS\?ystem) -- C:\WINDOWS\?ystem
    [2006/11/24 17:14:35 | 000,000,000 | ---D | M](C:\WINDOWS\??sks) -- C:\WINDOWS\??sks
    [2006/11/24 17:14:35 | 000,000,000 | ---D | C](C:\WINDOWS\??sks) -- C:\WINDOWS\??sks
    [2006/11/22 19:33:36 | 000,000,000 | ---D | M](C:\Program Files\Common Files\F?nts) -- C:\Program Files\Common Files\F?nts
    [2006/11/22 19:33:36 | 000,000,000 | ---D | M](C:\Program Files\Common Files\F?nts) -- C:\Program Files\Common Files\F?nts
    [2006/10/19 11:04:53 | 000,000,000 | ---D | M](C:\WINDOWS\?asks) -- C:\WINDOWS\?asks
    [2006/10/19 11:04:53 | 000,000,000 | ---D | C](C:\WINDOWS\?asks) -- C:\WINDOWS\?asks
    [2006/10/17 21:22:31 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\??mbols) -- C:\Documents and Settings\Jessica\Application Data\??mbols
    [2006/10/17 21:22:31 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\??mbols) -- C:\Documents and Settings\Jessica\Application Data\??mbols
    [2006/10/14 22:04:02 | 000,000,000 | ---D | M](C:\WINDOWS\System32\F?nts) -- C:\WINDOWS\System32\F?nts
    [2006/10/14 22:04:02 | 000,000,000 | ---D | C](C:\WINDOWS\System32\F?nts) -- C:\WINDOWS\System32\F?nts
    [2006/09/25 12:01:20 | 000,000,000 | ---D | M](C:\WINDOWS\s?mbols) -- C:\WINDOWS\s?mbols
    [2006/09/25 12:01:20 | 000,000,000 | ---D | C](C:\WINDOWS\s?mbols) -- C:\WINDOWS\s?mbols
    [2006/09/04 18:17:41 | 000,000,000 | ---D | M](C:\WINDOWS\??crosoft.NET) -- C:\WINDOWS\??crosoft.NET
    [2006/09/04 18:17:41 | 000,000,000 | ---D | C](C:\WINDOWS\??crosoft.NET) -- C:\WINDOWS\??crosoft.NET
    [2006/09/03 19:04:01 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\S?mantec) -- C:\Documents and Settings\Jessica\Application Data\S?mantec
    [2006/09/03 19:04:01 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\S?mantec) -- C:\Documents and Settings\Jessica\Application Data\S?mantec
    [2006/09/02 19:02:45 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ecurity) -- C:\Documents and Settings\Jessica\Application Data\?ecurity
    [2006/09/02 19:02:45 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ecurity) -- C:\Documents and Settings\Jessica\Application Data\?ecurity
    [2006/08/30 14:35:49 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ystem32) -- C:\Documents and Settings\Jessica\Application Data\?ystem32
    [2006/08/30 14:35:49 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ystem32) -- C:\Documents and Settings\Jessica\Application Data\?ystem32
    [2006/08/29 13:59:58 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ppPatch) -- C:\Documents and Settings\Jessica\Application Data\?ppPatch
    [2006/08/29 13:59:58 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ppPatch) -- C:\Documents and Settings\Jessica\Application Data\?ppPatch
    [2006/08/28 14:03:38 | 000,000,000 | ---D | M](C:\WINDOWS\?ymantec) -- C:\WINDOWS\?ymantec
    [2006/08/28 14:03:38 | 000,000,000 | ---D | C](C:\WINDOWS\?ymantec) -- C:\WINDOWS\?ymantec
    [2006/08/27 13:54:20 | 000,000,000 | ---D | M](C:\WINDOWS\System32\??mantec) -- C:\WINDOWS\System32\??mantec
    [2006/08/27 13:54:20 | 000,000,000 | ---D | C](C:\WINDOWS\System32\??mantec) -- C:\WINDOWS\System32\??mantec
    [2006/08/22 18:31:03 | 000,000,000 | ---D | M](C:\WINDOWS\a?sembly) -- C:\WINDOWS\a?sembly
    [2006/08/22 18:31:03 | 000,000,000 | ---D | C](C:\WINDOWS\a?sembly) -- C:\WINDOWS\a?sembly
    [2006/08/21 18:28:26 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\s?curity) -- C:\Documents and Settings\Jessica\Application Data\s?curity
    [2006/08/21 18:28:26 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\s?curity) -- C:\Documents and Settings\Jessica\Application Data\s?curity
    [2006/08/20 17:33:05 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\a?sembly) -- C:\Documents and Settings\Jessica\Application Data\a?sembly
    [2006/08/20 17:33:05 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\a?sembly) -- C:\Documents and Settings\Jessica\Application Data\a?sembly
    [2006/08/17 18:34:53 | 000,000,000 | ---D | C](C:\WINDOWS\System32\a?sembly) -- C:\WINDOWS\System32\a?sembly
    [2006/08/12 19:38:01 | 000,000,000 | ---D | M](C:\WINDOWS\System32\?icrosoft) -- C:\WINDOWS\System32\?icrosoft
    [2006/08/12 19:38:01 | 000,000,000 | ---D | C](C:\WINDOWS\System32\?icrosoft) -- C:\WINDOWS\System32\?icrosoft
    [2006/08/05 10:05:04 | 000,000,000 | ---D | M](C:\WINDOWS\s?stem) -- C:\WINDOWS\s?stem
    [2006/08/05 10:05:04 | 000,000,000 | ---D | C](C:\WINDOWS\s?stem) -- C:\WINDOWS\s?stem
    [2006/08/01 18:08:00 | 000,000,000 | ---D | M](C:\Program Files\Common Files\s?mbols) -- C:\Program Files\Common Files\s?mbols
    [2006/08/01 18:08:00 | 000,000,000 | ---D | M](C:\Program Files\Common Files\s?mbols) -- C:\Program Files\Common Files\s?mbols
    [2006/07/30 19:58:10 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ystem) -- C:\Documents and Settings\Jessica\Application Data\?ystem
    [2006/07/30 19:58:10 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?ystem) -- C:\Documents and Settings\Jessica\Application Data\?ystem
    [2006/07/15 23:13:35 | 000,000,000 | ---D | M](C:\Program Files\Common Files\?icrosoft.NET) -- C:\Program Files\Common Files\?icrosoft.NET
    [2006/07/15 23:13:35 | 000,000,000 | ---D | M](C:\Program Files\Common Files\?icrosoft.NET) -- C:\Program Files\Common Files\?icrosoft.NET
    [2006/07/07 22:43:24 | 000,000,000 | ---D | M](C:\WINDOWS\System32\??mbols) -- C:\WINDOWS\System32\??mbols
    [2006/07/07 22:43:24 | 000,000,000 | ---D | C](C:\WINDOWS\System32\??mbols) -- C:\WINDOWS\System32\??mbols
    [2006/07/06 22:56:14 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?asks) -- C:\Documents and Settings\Jessica\Application Data\?asks
    [2006/07/06 22:56:14 | 000,000,000 | ---D | M](C:\Documents and Settings\Jessica\Application Data\?asks) -- C:\Documents and Settings\Jessica\Application Data\?asks
    [2006/07/05 23:51:05 | 000,000,000 | ---D | M](C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\??crosoft.NET
    [2006/07/05 23:51:05 | 000,000,000 | ---D | M](C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\??crosoft.NET
    [2006/06/28 21:14:45 | 000,000,000 | ---D | M](C:\WINDOWS\??stem) -- C:\WINDOWS\??stem
    [2006/06/28 21:14:45 | 000,000,000 | ---D | C](C:\WINDOWS\??stem) -- C:\WINDOWS\??stem
    [2006/06/26 20:16:15 | 000,000,000 | ---D | C](C:\WINDOWS\System32\S?mantec) -- C:\WINDOWS\System32\S?mantec
    (C:\Program Files\Common Files\s?stem32) -- C:\Program Files\Common Files\s?stem32
    (C:\Program Files\Common Files\s?mbols) -- C:\Program Files\Common Files\s?mbols
    (C:\Program Files\Common Files\F?nts) -- C:\Program Files\Common Files\F?nts
    (C:\Program Files\Common Files\?racle) -- C:\Program Files\Common Files\?racle
    (C:\Program Files\Common Files\?ppPatch) -- C:\Program Files\Common Files\?ppPatch
    (C:\Program Files\Common Files\?icrosoft.NET) -- C:\Program Files\Common Files\?icrosoft.NET
    (C:\Program Files\Common Files\??stem) -- C:\Program Files\Common Files\??stem
    (C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\??crosoft.NET
    (C:\Documents and Settings\Jessica\Application Data\S?mantec) -- C:\Documents and Settings\Jessica\Application Data\S?mantec
    (C:\Documents and Settings\Jessica\Application Data\s?curity) -- C:\Documents and Settings\Jessica\Application Data\s?curity
    (C:\Documents and Settings\Jessica\Application Data\F?nts) -- C:\Documents and Settings\Jessica\Application Data\F?nts
    (C:\Documents and Settings\Jessica\Application Data\a?sembly) -- C:\Documents and Settings\Jessica\Application Data\a?sembly
    (C:\Documents and Settings\Jessica\Application Data\?ystem32) -- C:\Documents and Settings\Jessica\Application Data\?ystem32
    (C:\Documents and Settings\Jessica\Application Data\?ystem) -- C:\Documents and Settings\Jessica\Application Data\?ystem
    (C:\Documents and Settings\Jessica\Application Data\?ymbols) -- C:\Documents and Settings\Jessica\Application Data\?ymbols
    (C:\Documents and Settings\Jessica\Application Data\?ssembly) -- C:\Documents and Settings\Jessica\Application Data\?ssembly
    (C:\Documents and Settings\Jessica\Application Data\?ppPatch) -- C:\Documents and Settings\Jessica\Application Data\?ppPatch
    (C:\Documents and Settings\Jessica\Application Data\?ecurity) -- C:\Documents and Settings\Jessica\Application Data\?ecurity
    (C:\Documents and Settings\Jessica\Application Data\?asks) -- C:\Documents and Settings\Jessica\Application Data\?asks
    (C:\Documents and Settings\Jessica\Application Data\??mbols) -- C:\Documents and Settings\Jessica\Application Data\??mbols
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

MrC

I created a new system restore point on 4/10/11, and ran OTL with the provided script. Pasted are the contents of the log file 04102011_133914.

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA2FCEA7-0666-21B4-4293-58C0A55C06E7}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA2FCEA7-0666-21B4-4293-58C0A55C06E7}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_USERS\S-1-5-21-2700284664-2585570681-2036073086-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.

Registry value HKEY_USERS\S-1-5-21-2700284664-2585570681-2036073086-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.

Registry value HKEY_USERS\S-1-5-21-2700284664-2585570681-2036073086-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Tmaget deleted successfully.

C:\WINDOWS\IXOYUKEJ.DLL moved successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Sen deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Ywciojk deleted successfully.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Sen not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Ywciojk not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\FlashPlayerUpdate deleted successfully.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\FlashPlayerUpdate not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.

Folder C:\Documents and Settings\All Users\Application Data\hOi10601gEkBl10601\ not found.

C:\Documents and Settings\All Users\Application Data\2738145062 moved successfully.

C:\Documents and Settings\All Users\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32 moved successfully.

C:\Documents and Settings\Jessica\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32 moved successfully.

C:\Documents and Settings\LocalService\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32 moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32 moved successfully.

C:\Documents and Settings\All Users\Application Data\4064715361 moved successfully.

C:\Documents and Settings\Jessica\Local Settings\Application Data\4064715361 moved successfully.

Folder C:\Documents and Settings\All Users\Application Data\jPiIpPb10602\ not found.

C:\Documents and Settings\All Users\Application Data\e8010lu874aguygbc moved successfully.

File C:\WINDOWS\IXOYUKEJ.DLL not found.

C:\Documents and Settings\LocalService\Local Settings\Application Data\e8010lu874aguygbc moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\e8010lu874aguygbc moved successfully.

C:\Documents and Settings\Jessica\Local Settings\Application Data\2738145062 moved successfully.

File C:\Documents and Settings\All Users\Application Data\2738145062 not found.

C:\Documents and Settings\Jessica\Local Settings\Application Data\8q1gjv45b1b2ny58w4voq16g4u2 moved successfully.

C:\Documents and Settings\LocalService\Local Settings\Application Data\8q1gjv45b1b2ny58w4voq16g4u2 moved successfully.

C:\Documents and Settings\All Users\Application Data\8q1gjv45b1b2ny58w4voq16g4u2 moved successfully.

C:\WINDOWS\System32\a?sembly folder moved successfully.

C:\Program Files\Common Files\?ppPatch\?ppPatch folder moved successfully.

C:\Program Files\Common Files\?ppPatch folder moved successfully.

C:\WINDOWS\System32\S?mantec folder moved successfully.

C:\WINDOWS\System32\?icrosoft folder moved successfully.

Folder C:\WINDOWS\System32\?icrosoft\ not found.

Folder C:\Program Files\Common Files\?ppPatch\?ppPatch\ not found.

C:\Documents and Settings\Jessica\Application Data\?ssembly folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\?ssembly\ not found.

C:\Documents and Settings\Jessica\Application Data\F?nts folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\F?nts\ not found.

C:\Documents and Settings\Jessica\Application Data\?ymbols folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\?ymbols\ not found.

C:\Program Files\Common Files\s?stem32 folder moved successfully.

Folder C:\Program Files\Common Files\s?stem32\ not found.

C:\WINDOWS\System32\??sks folder moved successfully.

Folder C:\WINDOWS\System32\??sks\ not found.

C:\Program Files\Common Files\??stem folder moved successfully.

Folder C:\Program Files\Common Files\??stem\ not found.

C:\Program Files\Common Files\?racle folder moved successfully.

Folder C:\Program Files\Common Files\?racle\ not found.

C:\WINDOWS\System32\?dobe folder moved successfully.

Folder C:\WINDOWS\System32\?dobe\ not found.

C:\WINDOWS\?ystem folder moved successfully.

Folder C:\WINDOWS\?ystem\ not found.

C:\WINDOWS\??sks folder moved successfully.

Folder C:\WINDOWS\??sks\ not found.

C:\Program Files\Common Files\F?nts folder moved successfully.

Folder C:\Program Files\Common Files\F?nts\ not found.

C:\WINDOWS\?asks folder moved successfully.

Folder C:\WINDOWS\?asks\ not found.

C:\Documents and Settings\Jessica\Application Data\??mbols folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\??mbols\ not found.

C:\WINDOWS\System32\F?nts folder moved successfully.

Folder C:\WINDOWS\System32\F?nts\ not found.

C:\WINDOWS\s?mbols folder moved successfully.

Folder C:\WINDOWS\s?mbols\ not found.

C:\WINDOWS\??crosoft.NET folder moved successfully.

Folder C:\WINDOWS\??crosoft.NET\ not found.

C:\Documents and Settings\Jessica\Application Data\S?mantec folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\S?mantec\ not found.

C:\Documents and Settings\Jessica\Application Data\?ecurity folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\?ecurity\ not found.

C:\Documents and Settings\Jessica\Application Data\?ystem32 folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\?ystem32\ not found.

C:\Documents and Settings\Jessica\Application Data\?ppPatch folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\?ppPatch\ not found.

C:\WINDOWS\?ymantec folder moved successfully.

Folder C:\WINDOWS\?ymantec\ not found.

C:\WINDOWS\System32\??mantec folder moved successfully.

Folder C:\WINDOWS\System32\??mantec\ not found.

C:\WINDOWS\a?sembly folder moved successfully.

Folder C:\WINDOWS\a?sembly\ not found.

C:\Documents and Settings\Jessica\Application Data\s?curity folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\s?curity\ not found.

C:\Documents and Settings\Jessica\Application Data\a?sembly folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\a?sembly\ not found.

Folder C:\WINDOWS\System32\a?sembly\ not found.

C:\WINDOWS\System32\?icrosoft folder moved successfully.

Folder C:\WINDOWS\System32\?icrosoft\ not found.

C:\WINDOWS\s?stem folder moved successfully.

Folder C:\WINDOWS\s?stem\ not found.

C:\Program Files\Common Files\s?mbols folder moved successfully.

Folder C:\Program Files\Common Files\s?mbols\ not found.

C:\Documents and Settings\Jessica\Application Data\?ystem folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\?ystem\ not found.

C:\Program Files\Common Files\?icrosoft.NET folder moved successfully.

Folder C:\Program Files\Common Files\?icrosoft.NET\ not found.

C:\WINDOWS\System32\??mbols folder moved successfully.

Folder C:\WINDOWS\System32\??mbols\ not found.

C:\Documents and Settings\Jessica\Application Data\?asks folder moved successfully.

Folder C:\Documents and Settings\Jessica\Application Data\?asks\ not found.

C:\Program Files\Common Files\??crosoft.NET folder moved successfully.

Folder C:\Program Files\Common Files\??crosoft.NET\ not found.

C:\WINDOWS\??stem folder moved successfully.

Folder C:\WINDOWS\??stem\ not found.

Folder C:\WINDOWS\System32\S?mantec\ not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Alex and Jess

->Temp folder emptied: 168330 bytes

->Temporary Internet Files folder emptied: 30718792 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 348 bytes

User: Alex and Jessica

->Temp folder emptied: 596461 bytes

->Temporary Internet Files folder emptied: 1325039 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: Guest

->Temp folder emptied: 1312149437 bytes

->Temporary Internet Files folder emptied: 373763908 bytes

->Java cache emptied: 1190 bytes

->Flash cache emptied: 6581 bytes

User: Jessica

->Temp folder emptied: 2532190297 bytes

->Temporary Internet Files folder emptied: 69300643 bytes

->Java cache emptied: 16051890 bytes

->Google Chrome cache emptied: 48131336 bytes

->Flash cache emptied: 1703360 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 195563902 bytes

->Java cache emptied: 37469 bytes

->Flash cache emptied: 348 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 24574313 bytes

->Java cache emptied: 1147329 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 4995601 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 197784392 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 93292960 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 12344084 bytes

RecycleBin emptied: 2050746112 bytes

Total Files Cleaned = 6,644.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04102011_133914

Files\Folders moved on Reboot...

C:\Documents and Settings\Jessica\Local Settings\Temporary Internet Files\Content.IE5\8MOFE9NW\index[5].htm moved successfully.

C:\Documents and Settings\Jessica\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\06VHSJUV\wp-postviews[2].php moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

These issues seem to be reoccuring more frequently as of late, after we had an IT Specialist recover and install some different free spycatcher program. I'm strongly considering unistalling everthing he put on and purchasing the full registered version of mbam. What would be the benifits of having the full version, and would it prevent these viruses from repeatedly poping on? Thanks again for your help.

Yes MBAM works in several ways to protect you.

* Dynamically Blocks Malware Sites & Servers

* Malware Execution Prevention (real time protection)

--------------------------------

Please Update and run a Quick Scan with MBAM and post the log, MrC

Link to post
Share on other sites

Thank you MrC

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6328

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/10/2011 9:43:47 PM

mbam-log-2011-04-10 (21-43-47).txt

Scan type: Quick scan

Objects scanned: 204388

Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

It was doing ok for a while. I upgraded to the pro version, but am starting to have issues again. Computer will lock up and nothing can be done. Restart is the only option. Sometimes it has taken five plus restarts to where I can get into mbam. Unless I act super quick after a restart it freezes up. I managed to get mbam updated and am in the process of doing a full scan. After some earlier scans I did there were multiple files that couldn't be located. I feel like there are still some malicious hidden files that can't be found and are still causing issues.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.