Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep Running Adaware And Deleting Infections, But It Keeps Finding More!


  • This topic is locked This topic is locked
8 replies to this topic

#1 yeldarb

yeldarb

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:08:13 PM

Posted 03 March 2008 - 09:59 AM

IE opening random web sites even when I'm not online (constant connection just not using a browser). it does this constantly, every two or three minutes. I ran an adaware 2007 scan and it came up with 50+ infections. It deleted them all except for 2 or three files named InetGet2 and Wintoutch. I manually deleted them. I then re-started the computer, and it happened again. Ran Adaware... more infections... deleted them all... ran adaware again... more infections... deleted them all... etc. :thumbsup: any ideas?

Brad

BC AdBot (Login to Remove)

 


#2 yeldarb

yeldarb
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:08:13 PM

Posted 03 March 2008 - 10:12 AM

Should note. I blocked IE from actually opening anything (Content advisor). The page that it attempts to open is usually ads.k8l.info

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,706 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 PM

Posted 03 March 2008 - 11:00 AM

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX By OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Sudoku by OIN
Yazzle Snowballwars by OIN
Yazzle Kobe Balls! by OIN
Zolero Translator
or anything similar with OIN, Outer Info or Yazzle in them.

Important! Reboot when done.

Open My Computer or Windows Explorer, navigate to C:\Program Files and delete any of the named program folders listed above that you find (if they still exist).

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

Purity
C:\Program Files\InetGet2

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Patterns to Search for and Move" (under the yellow bar), and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 yeldarb

yeldarb
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:08:13 PM

Posted 04 March 2008 - 11:01 AM

I lost the log for OTMoveIt2...

I'm still infected.

Now I can't open any folders.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2008 at 10:23 AM

Application Version : 4.0.1154

Core Rules Database Version : 3413
Trace Rules Database Version: 1405

Scan type : Complete Scan
Total Scan Time : 00:38:17

Memory items scanned : 174
Memory threats detected : 2
Registry items scanned : 5626
Registry threats detected : 46OTMoveIt2
File items scanned : 74783
File threats detected : 74

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\IIFFDDD.DLL
C:\WINDOWS\SYSTEM32\IIFFDDD.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED120D76-BF31-412C-A99B-783C6676E128}
HKCR\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}
HKCR\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}\InprocServer32
HKCR\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{ED120D76-BF31-412C-A99B-783C6676E128}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iiffddd
C:\WINDOWS\SYSTEM32\VTUVTTS.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\VTSQO.DLL
C:\WINDOWS\SYSTEM32\VTSQO.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\NJFXAETT.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3538CEBC-7423-28A3-5713-2F00B6BDDDE9}
HKCR\CLSID\{3538CEBC-7423-28A3-5713-2F00B6BDDDE9}
HKCR\CLSID\{3538CEBC-7423-28A3-5713-2F00B6BDDDE9}\InprocServer32
HKCR\CLSID\{3538CEBC-7423-28A3-5713-2F00B6BDDDE9}\InprocServer32#ThreadingModel
HKCR\CLSID\{3538CEBC-7423-28A3-5713-2F00B6BDDDE9}\Programmable
HKCR\CLSID\{3538CEBC-7423-28A3-5713-2F00B6BDDDE9}\TypeLib
C:\WINDOWS\SYSTEM32\UAOPH.DLL
HKLM\Software\Classes\CLSID\{A88B113C-0E6E-49B1-8753-202C65FA7ADF}
HKCR\CLSID\{A88B113C-0E6E-49B1-8753-202C65FA7ADF}
HKCR\CLSID\{A88B113C-0E6E-49B1-8753-202C65FA7ADF}\InprocServer32
HKCR\CLSID\{A88B113C-0E6E-49B1-8753-202C65FA7ADF}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3538CEBC-7423-28A3-5713-2F00B6BDDDE9}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A88B113C-0E6E-49B1-8753-202C65FA7ADF}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{3a436168-d86f-4510-b663-ab362acc0aa8}
HKCR\CLSID\{3A436168-D86F-4510-B663-AB362ACC0AA8}
HKCR\CLSID\{3A436168-D86F-4510-B663-AB362ACC0AA8}\InprocServer32
HKCR\CLSID\{3A436168-D86F-4510-B663-AB362ACC0AA8}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IHOQQSTT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a436168-d86f-4510-b663-ab362acc0aa8}
C:\WINDOWS\SYSTEM32\HAJRKGIR.DLL
C:\WINDOWS\SYSTEM32\KXAHKXGG.DLL
C:\WINDOWS\SYSTEM32\MUQJTBCQ.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Chris R\Cookies\chris r@avsystemcare[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@hornymatches[1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][2].txt
C:\Documents and Settings\Chris R\Cookies\chris r@webtraffic20[3].txt
C:\Documents and Settings\Chris R\Cookies\chris r@gomyhit[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@288_[3].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][3].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][2].txt
C:\Documents and Settings\Chris R\Cookies\chris r@burstnet[2].txt
C:\Documents and Settings\Chris R\Cookies\chris r@ex=5_[2].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][2].txt
C:\Documents and Settings\Chris R\Cookies\chris r@go[2].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@288_[2].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][2].txt
C:\Documents and Settings\Chris R\Cookies\chris r@adrevolver[1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@atdmt[2].txt
C:\Documents and Settings\Chris R\Cookies\chris r@atdmt[3].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@clicksfeed[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@collective-media[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@directtrack[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@fastclick[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@interclick[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@linksynergy[1].txt
C:\Documents and Settings\Chris R\Cookies\chris [email protected][2].txt
C:\Documents and Settings\Chris R\Cookies\chris r@qnsr[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@questionmarket[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@realmedia[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@specificclick[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@webtraffic20[1].txt
C:\Documents and Settings\Chris R\Cookies\chris r@zedo[2].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[1].txt

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
C:\WINDOWS\Q2HYAXMGUG\KZ1VURG0O0.VBS

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
C:\Documents and Settings\Chris R\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Chris R\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Chris R\Start Menu\Programs\Outerinfo

Rogue.LocusSoftware-Installer
C:\DOCUMENTS AND SETTINGS\CHRIS R\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\R6N771J4\WINVSNET[1].EXE

Adware.Yazzle-Installer
C:\DOCUMENTS AND SETTINGS\CHRIS R\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\RT98WBY7\YAZZSNET[1].EXE

Adware.Rabio Search Enhancer
C:\WINDOWS\SYSTEM32\K8\RAVECOM3.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
C:\WINDOWS\SYSTEM32\OQSTV.INI
C:\WINDOWS\SYSTEM32\OQSTV.INI2

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG

Adware.ClickSpring
C:\_OTMOVEIT\MOVEDFILES\03042008_093013\DOCUMENTS AND SETTINGS\CHRIS R\MY DOCUMENTS\DOBE~1\MSIEXEC.EXE
C:\_OTMoveIt\MovedFiles\03042008_093013\WINDOWS\system32\STEM32~1\XPLORE~1.EXE

Adware.OuterInfo-Installer
C:\_OTMOVEIT\MOVEDFILES\03042008_093013\PROGRAM FILES\OUTERINFO\OIUNINSTALLER.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\RT98WBY7\ctxad-576[1].0000
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\L8WB5LSD\ctxad-576[1].0004
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\I5U3M1GF\ctxad-576[1].0002
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\RT98WBY7\ctxad-576[1].0005
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\ULI3UZGT\ctxad-576[1].0001
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\ULI3UZGT\ctxad-576[1].sig
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\63QF6PYV\17PHolmes[1].cmt
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\I5U3M1GF\17PHolmes[1].cmt
C:\Documents and Settings\Chris R\Local Settings\Temporary Internet Files\Content.IE5\I5U3M1GF\checkin[1].htm

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,706 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 PM

Posted 04 March 2008 - 12:15 PM

A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.

Download and run the Purity Scan uninstaller.
  • Save the Uninstaller to your desktop.
  • Double click on the OiUninstaller.exe icon on your desktop.
  • Click on "Run".
  • Enter the four digit code that is displayed and click on "Uninstall".
  • Click on "Ok" and reboot your computer.
Click here for Instructions with screenshots if needed.

Note: OiUninstaller uses UPX (ultimate packer for executables), an advanced file compressor and a method for compressing executable files to reduce their size to save space on a disk and download time. Some anti-virus programs such as Avast and Kaspersky may detect it as malware when attempting to download or unpack the compressed file.

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".
-- If using Windows Vista be sure to Run As Administrator.

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 yeldarb

yeldarb
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:08:13 PM

Posted 04 March 2008 - 04:45 PM

[Custom Input]
< Purity >
C:\WINDOWS\system32\ѕуstem32 moved successfully.
C:\Program Files\Outerinfo\FF\components moved successfully.
C:\Program Files\Outerinfo\FF moved successfully.
C:\Program Files\Outerinfo moved successfully.
C:\Program Files\Τаsks moved successfully.
C:\Documents and Settings\Chris R\My Documents\Αdobe\Αdobe moved successfully.
C:\Documents and Settings\Chris R\My Documents\Αdobe moved successfully.
< C:\Program Files\InetGet2 >
File/Folder C:\Program Files\InetGet2 not found.

OTMoveIt2 v1.0.20 log created on 03042008_093013

----------------------------------------------------------------------------------------------------------------------


VundoFix V6.7.10

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:10:34 PM 3/4/2008

Listing files found while scanning....

C:\WINDOWS\system32\cmixkvbx.dll
C:\WINDOWS\system32\debilacs.dll
C:\WINDOWS\system32\ewyoqcya.dll
C:\WINDOWS\system32\fhkbmhxc.dll
C:\WINDOWS\system32\fywwqbco.dll
C:\WINDOWS\system32\jflvirvv.dll
C:\WINDOWS\system32\jocpaxhm.dll
C:\WINDOWS\system32\jsucqltn.dll
C:\WINDOWS\system32\jtpheywl.ini
C:\WINDOWS\system32\lrfnilpy.dll
C:\WINDOWS\system32\lwyehptj.dll
C:\WINDOWS\system32\mceiwbnb.dll
C:\windows\system32\njfxaett.dllbox
C:\WINDOWS\system32\qgmsjmtu.dll
C:\WINDOWS\system32\rqdcrbda.dll
C:\WINDOWS\system32\siprvmtd.dll
C:\windows\system32\siprvmtd.dllbox
C:\WINDOWS\system32\uxxxfljw.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vvrivlfj.ini
C:\WINDOWS\system32\wkcxhapc.dll
C:\WINDOWS\system32\wxcqjpwn.dll
C:\WINDOWS\system32\xvmwtxby.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cmixkvbx.dll
C:\WINDOWS\system32\cmixkvbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\debilacs.dll
C:\WINDOWS\system32\debilacs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ewyoqcya.dll
C:\WINDOWS\system32\ewyoqcya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fhkbmhxc.dll
C:\WINDOWS\system32\fhkbmhxc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fywwqbco.dll
C:\WINDOWS\system32\fywwqbco.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jflvirvv.dll
C:\WINDOWS\system32\jflvirvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jocpaxhm.dll
C:\WINDOWS\system32\jocpaxhm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jsucqltn.dll
C:\WINDOWS\system32\jsucqltn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jtpheywl.ini
C:\WINDOWS\system32\jtpheywl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lrfnilpy.dll
C:\WINDOWS\system32\lrfnilpy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lwyehptj.dll
C:\WINDOWS\system32\lwyehptj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mceiwbnb.dll
C:\WINDOWS\system32\mceiwbnb.dll Has been deleted!

Attempting to delete C:\windows\system32\njfxaett.dllbox
C:\windows\system32\njfxaett.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\qgmsjmtu.dll
C:\WINDOWS\system32\qgmsjmtu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqdcrbda.dll
C:\WINDOWS\system32\rqdcrbda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\siprvmtd.dll
C:\WINDOWS\system32\siprvmtd.dll Has been deleted!

Attempting to delete C:\windows\system32\siprvmtd.dllbox
C:\windows\system32\siprvmtd.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\uxxxfljw.dll
C:\WINDOWS\system32\uxxxfljw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vvrivlfj.ini
C:\WINDOWS\system32\vvrivlfj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wkcxhapc.dll
C:\WINDOWS\system32\wkcxhapc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxcqjpwn.dll
C:\WINDOWS\system32\wxcqjpwn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xvmwtxby.dll
C:\WINDOWS\system32\xvmwtxby.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lrfnilpy.dll
C:\WINDOWS\system32\lrfnilpy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lwyehptj.dll
C:\WINDOWS\system32\lwyehptj.dll Has been deleted!

Performing Repairs to the registry.
Done!


-------------------------------------------------------------------------------------------------------------------------


[03/04/2008, 16:38:58] - VirtumundoBeGone v1.5 ( "F:\Virus\VirtumundoBeGone.exe" )
[03/04/2008, 16:39:10] - Detected System Information:
[03/04/2008, 16:39:10] - Windows Version: 5.1.2600, Service Pack 2
[03/04/2008, 16:39:10] - Current Username: Chris R (Admin)
[03/04/2008, 16:39:10] - Windows is in NORMAL mode.
[03/04/2008, 16:39:10] - Searching for Browser Helper Objects:
[03/04/2008, 16:39:10] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/04/2008, 16:39:10] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[03/04/2008, 16:39:10] - BHO 3: {761a3078-227e-45ce-8eaa-63093c7cac9e} ()
[03/04/2008, 16:39:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 16:39:10] - Checking for HKLM\...\Winlogon\Notify\wxcqjpwn
[03/04/2008, 16:39:10] - Key not found: HKLM\...\Winlogon\Notify\wxcqjpwn, continuing.
[03/04/2008, 16:39:10] - BHO 4: {924C2AF5-1221-4293-B4DC-ABC8CDF46AD8} ()
[03/04/2008, 16:39:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 16:39:10] - Checking for HKLM\...\Winlogon\Notify\myporyfeq89104
[03/04/2008, 16:39:10] - Key not found: HKLM\...\Winlogon\Notify\myporyfeq89104, continuing.
[03/04/2008, 16:39:10] - BHO 5: {AE84A6AA-A333-4B92-B276-C11E2212E4FE} (CPrintEnhancer Object)
[03/04/2008, 16:39:10] - BHO 6: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[03/04/2008, 16:39:10] - BHO 7: {CADA5F3F-2127-439D-91A7-0F8AFD25B42A} ()
[03/04/2008, 16:39:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 16:39:10] - Checking for HKLM\...\Winlogon\Notify\vtsqo
[03/04/2008, 16:39:10] - Key not found: HKLM\...\Winlogon\Notify\vtsqo, continuing.
[03/04/2008, 16:39:10] - Finished Searching Browser Helper Objects
[03/04/2008, 16:39:10] - Finishing up...
[03/04/2008, 16:39:10] - Nothing found! Exiting...

--------------------------------------------------------------------------------------------------------------------------------------

Still having some issues. Web page pop-ups "trx66.lban.com" and "DEEWOO" Thanks for your help and patience.

Edited by yeldarb, 04 March 2008 - 04:47 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,706 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 PM

Posted 04 March 2008 - 06:13 PM

Some variants of vundo may not be detected by Vundofix so the "Add more files" or "Drag & Drop" options are other ways of ridding this malware. These files need to be identified and posting a hijackthis log will enable an expert to advise you which files to add if you continue to have problems. If the infection remains after using VundoFix, then you should post a hijackthis log.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

Important: Some variants of vundo malware will hide certain entries in a hijackthis log to prevent detection so you need to rename HijackThis before using it.
  • After installing HijackThis, open My Computer or Windows Explorer and navigate to the HijackThis Folder.
  • Inside the folder, right-click on the HijackThis.exe file and rename it Scanner.exe.
  • Double-click on Scanner.exe (which is still HijackThis) run a scan, save the logfile and copy/paste it into a new topic in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts.
Give your topic, a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 yeldarb

yeldarb
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia
  • Local time:08:13 PM

Posted 06 March 2008 - 02:37 PM

Thanks for all the help!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,706 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 PM

Posted 07 March 2008 - 08:51 AM

Your hijackthis log is posted here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users