Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pesky Vundo Trojan Infection


  • Please log in to reply
18 replies to this topic

#1 zombiewhacker

zombiewhacker

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 16 October 2008 - 05:25 PM

Greetings all.

My OS: Windows XP Home Service Pack 2. Anti-mal installed: SuperAntiSpyware, AVG (Free Edition), MalwareBytes, SpybotSearch and Destroy, Spyware Blaster, Windows Firewall (yuk yuk yuk)

My problem:

Recently I visited a website only to find out (too late) that it was poisoned. Immediately several nasty trojans (and worse) downloaded themselves to my PC. Fortunately, no data was lost (so far) and I still have control of my PC (for the most part). However, my internet connection is iffy and I keep getting these strange pop-ups when I'm offline bearing this message:

"No connection to the Internet is currently available. To view Internet content that has been saved on your computer, click Work Offline. Click Try Again to attempt to connect."

Naturally, I don't take the bait. Instead, I Ctrl-Alt-Del and shut down the pop-up message. That causes my desktop icons and Start-up bar to refresh as if I just re-booted. No data loss or anything missing, but if I had moved any of my icons during my current session, the refesh resets the icons to wherever they were when I first booted up.

Then... seconds later, I get the same message. "No connection to the Internet..." et cetera.

So I ran SuperAntiSpyware. That cleaned up my computer a little bit (lots of files quarantined and deleted), however, I still get the pop-up messages every thirty seconds or so. Then I ran Malwarebytes. That eliminated a bunch of malicious entries that SAS could not; however, two remaining items it identifies it cannot remove. These are: instbndlkeyldr.dll and instkey.dll, which are identified as Trojan vundos. Neither of the antivirus/antimalware programs I mentioned are able to remove these, nor can my AVG (not that I expected it would).

Another detail: I opened Spybot Search and Destroy in advanced mode and checked startup programs in System Tools. It identifies a strange .dll called iifefETl (last letter "L" as in "lemon"). Google indicates this is a Trojan, too, but does not provide any other information. If I try to uncheck this Trojan in System Tools, the file mysteriously re-checks itself so there's no way to prevent it from starting when I boot-up. Hmmmm...

Last thing: when I boot to safe mode, I do not get the pop-ups I mentioned and my computer seems stable. However, in safe mode of course I cannot log onto the internet. Regular mode is where I seem to be having all the problems.

Directions on how to proceed? I have recently downloaded Hijack This and your favorite and mine, Combofix, but have not installed either. Waiting for your instructons. Thanks.

Edited by zombiewhacker, 16 October 2008 - 05:27 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 16 October 2008 - 05:31 PM

Try these two scans:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
http://www.bleepingcomputer.com/forums/t/17258/how-to-remove-the-smitfraud-generic-zlob-quicknavigate-virtual-maid/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 zombiewhacker

zombiewhacker
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 17 October 2008 - 07:01 PM

Okay, an update: I ran both scans. One of them was able to remove iifefETl and now I can uncheck it in Spybot System Tools Startup. When I finally rebooted to normal mode, I noticed I was no longer getting the popup message I mentioned before. My desktop was as I had originally configured it;however, my selected wallpaper was no longer displayed and my PC clock is now displaying "military" time instead of normal time (16:43 instead of 4:43).

I decided to leave my computer unattended for a while to see what would happen. (Offline, modem physically disconnected from Internet to be extra safe.) When I came back an hour or so later, my screen saver had kicked in (expected). When I tried to "wake" my computer up via mouse or keypad, it didn't respond right away. When it did, I got this popup-message:

"Accessed file is infected.

Threat detected!

File name: C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1286\A0052780.exe

Threat name: Trojan Horse PSW.Generic6.ABBK

Detected Threat on Open

More information about this threat..."

Apparently this was my recently-installed AVG kicking in (the blue window header read "Resident Shield") so I just clicked on heal and am currently crossing my fingers.

Any idea what threat AVG was referring to? Is the disappearing wallpaper/screwed up clock normal? What should be my next move?

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 18 October 2008 - 01:07 AM

Run a full scan with Malwarebytes and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:32 AM

Posted 18 October 2008 - 06:53 AM

To change your time, go to Start > Control Panel and double-click Date, Time, Language and Regional Options.
Note: Depending on your settings (classic view) it may show as Regional and Language Options.
In the Regional Options tab, under Standards and formats click the Customize... button.
Click the Time tab, and then click the down arrow next to the Time format box.
Select: h:mm:ss tt
Click Apply or Ok twice to exit out.

Or click on Start > Help and Support Center and in the Search box type: change time display
Press Enter or click the green arrow.
Under Suggested Topics click > Pick a task, click on "Change the way your computer displays the time" and follow the instructions provided.

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:
  • Security Info
  • Warning Message
  • Security Desktop
  • Warning Homepage
  • Privacy Protection
  • Desktop Uninstall
If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done, go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 zombiewhacker

zombiewhacker
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 19 October 2008 - 03:37 PM

And the fun continues...

It turns out that I can't log onto the Internet with my infected computer. (All my posts thus far have been on another PC.)

When I booted up this morning, I seemingly was able to connect with my service... but then right before my browser was supposed to open, a little message appeared in the bottom right hand corner of my desktop. You know that yellow message box that often appears in Windows when you cursor over something but don't actually click on it? Well, this yellow message box said "pop09(myinternetservice).net" then repeated itself, scrolling straight up and down the right hand side of my screen like this:

pop09(myinternetservice).net
pop09(myinternetservice).net
pop09(myinternetservice).net
pop09(myinternetservice).net
pop09(myinternetservice).net
pop09(myinternetservice).net


On and on ad infinitum. My desktop froze and I was unable to click out of it, so finally I just had to shut off my PC. I tried again. Same result. That's when I had to give up. Note that this the first time I had seen this error. This hadn't even happened to me on the day I realized I'd been infected.

Given that I'm unable to cut and paste my malwarebytes log, I jotted down all the pertinent information and will now attempt to transcribe them here:

Malwarebytes Anti-Malware 1.28
Database version 1225
Windows 5.1.2600 Service Pack 2

Scan Type: Full Scan (C:|/)
Objects scanned: 224397
Time Elapsed: 3 Hour(s), 23 Minute(s), 24 Second(s)

Registry Keys Infected: 2

(Nothing else infected in this section - no malicious items detected in memory processes or memory modules)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instbndlkeyldr (Trojan.vundo) -> Quarantined and deleted
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.vundo) -> Quarantined and deleted

(No malicious items detected in Registry Values, Registry Data Items, Folders, or Files)

Note that the two infected registry keys are the same ones that turned up in previous scans. Each time Malwarebytes claimed it had quarantined and deleted them, but apparently not. A safe bet it didn't do the job this time either.

What do you think, sirs?

(Oh, and in the meantime: given the limited info I've provided so far, do you see any danger in using my computer for ordinary tasks like playing Windows Media Player, using my word processor, etc?)

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 19 October 2008 - 03:49 PM

I don't see any problem with using media player etc.

Try this scan, you can copy it over from another computer if you need.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:32 AM

Posted 19 October 2008 - 04:34 PM

Also MBAM has been updated. Please download and install the most current version (1.29) from here.

Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 zombiewhacker

zombiewhacker
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 21 October 2008 - 04:52 PM

You can't spell "Internet" or "irony" without the letter "i". I'm doing a Dr. Web scan as I write this... and I just got this message:

C:Documents And Settings\Owner\Desktop\Smitfraudfix.exe

Archive contains infected objects.

Move?

Yes to all/Yes/No/No to All


What should I do?

Edited by zombiewhacker, 21 October 2008 - 04:54 PM.


#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 21 October 2008 - 04:55 PM

Smitfraudfix.exe is not a virus, but DrWebCureIt thinks it is. Just move it, it's no problem.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 zombiewhacker

zombiewhacker
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 22 October 2008 - 06:12 PM

Dr. Web report:

SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Documents and Settings\Owner\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix;Tool.ShutDown.11;Moved.;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Downloads\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Downloads;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Downloads\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Downloads;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Downloads\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Downloads\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Downloads;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;
A0052342.dll;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1278;BackDoor.Tdss.7;Deleted.;
A0052343.dll;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1278;Trojan.Sespy.13;Deleted.;
A0052344.dll;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1278;BackDoor.Tdss.7;Deleted.;
A0052345.dll;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1278;Trojan.Fakealert.1304;Deleted.;
A0052781.exe\TSUNINSTALLER.EXE;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1286\A0052781.exe;Adware.TimeSink;;
A0052781.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1286;Archive contains infected objects;Moved.;
A0053892.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287\A0053892.exe;Tool.Prockill;;
A0053892.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287\A0053892.exe;Tool.ShutDown.11;;
A0053892.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287;Archive contains infected objects;Moved.;
A0053893.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287\A0053893.exe;Program.PsExec.171;;
A0053893.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287;Archive contains infected objects;Moved.;
A0053894.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287\A0053894.exe;Tool.Prockill;;
A0053894.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287;Archive contains infected objects;Moved.;
A0053895.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287\A0053895.exe;Tool.Prockill;;
A0053895.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287\A0053895.exe;Tool.ShutDown.11;;
A0053895.exe;C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287;Archive contains infected objects;Moved.;
EV191065.exe;C:\WINDOWS\system32\EV19;Trojan.DownLoader.56730;Deleted.;

List above does not include D: drive. It spotted backups of Smitfraudfix and SDEdit on my backup CD. Otherwise zippo.

Next comes first of three scans I did with MBAM Version 1.29:

Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 2

10/22/2008 8:54:31 AM
mbam-log-2008-10-22 (08-54-31).txt

Scan type: Quick Scan
Objects scanned: 46535
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\khfCtuvv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUooPjI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGabBuu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGvvttS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqRKdEX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPgdeF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXoOEvT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXOEwXr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyaayWo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I rebooted and ran my second scan. Report follows:

Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 2

10/22/2008 11:41:58 AM
mbam-log-2008-10-22 (11-41-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 224652
Time elapsed: 1 hour(s), 19 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1286\A0052814.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1286\A0052822.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1287\A0053896.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mak\CSH5B12.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Rebooted than scanned a third time. Report follows.

Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 2

10/22/2008 3:16:26 PM
mbam-log-2008-10-22 (15-16-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 224683
Time elapsed: 1 hour(s), 20 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I am now up and running on Internet for first time in weeks. Crazy balloon messages are not popping up this time. However, I discovered that AVG has installed a toolbar in my IE browser. Also CPU usage when I first log on is close to 100% and it takes several minutes before it dies back down (current CPU usage is 7%-15%.) Any way to get rid of this AVG toolbar?

Also note that although MBAM no longer reports those two Trojan vundos I mentioned (instbndlkeyldr and instkey) logs above show no indication that either vundo was ever actually deleted (unless Dr. Web deleted them under another name)

Another thing: that other DLL I mentioned: iifefETl. I opened Spybot and unchecked it, like I said. Today I decided to delete it. When I opened Spybot system tools later, iifefETl was back again, although it remained unchecked. (Also another crazy .dll which I unchecked allows itself to be unchecked but refuses to allow itself to be deleted.)

Not observing any strange behavior so far, but anything else I should check out before I consider mysef "cured"?

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 22 October 2008 - 06:14 PM

Run a full scan with SuperAntiSpyware in Safe Mode and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:32 AM

Posted 23 October 2008 - 06:42 AM

Please provide the location (full file path) to iifefETl.dll and the name/location of any other suspicious .dlls.

Also go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.

AVG Security Toolbar
1188: AVG Security Toolbar - What is it? How to Remove/Disable
AVG LinkScanner
1189: LinkScanner - what is it?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 zombiewhacker

zombiewhacker
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 23 October 2008 - 05:33 PM

Spybot identifies first .dll as the following:

HK_LM:RUN (key)

tvqovopxqkkikqci (Value)

C:\windows\system32\regsvr32.exe /s C:\windows\system32\kbpbajqxcalvdqgo.dll (Command line)

No such .dll is identified in my windows\system32 directory so no upload for analysis is possible. I uploaded regsvr32 to virusscan.jotti . Scans found nothing.

Meanwhile, Spybot system tools identifies no path for iifefETl.dll. It's simply listed as System.ini (key), iifefETl as value and iifefETl.dll as command line.

#15 zombiewhacker

zombiewhacker
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 23 October 2008 - 05:37 PM

Oh, yeah, and one other small problem: I'm no longer able to disconnect from the internet. (I have dial-up.) When I click disconnect, I stay connected. I have to unplug my modem and/or shut down my computer in order to disconnect.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users