Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
30 replies to this topic

#1 Ishiki

Ishiki

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 01 March 2009 - 06:02 PM

I've had this infection for about a week and a half now. I may have gotten it from a humorous forward that my mom sent me of modified company logos, since the pop-ups started while I was reading that, but my mom says that the computer she was using to read and send that doesn't have any infection that she knows of, though I do think our other home computer has some form of Vundo as well (I don't think that one can access the internet right now either) . At first I got pop-ups in my internet browsers and MS Antivirus 2009 messages and such. I ran a few different programs including the McAfee On Access Scan/Virus Scan that my college network uses, free Panda Activescan 2.0 online, free Threatfire, etc.
Then once when I restarted it, Cisco Clean Access Agent, which allows login to access the school's internet connection, said it required a Microsoft update, but said it couldn't connect to the internet when I tried to download it, and I couldn't get online. The Windows Security Center Firewall was turned off, though I'm pretty sure I didn't do that, and it wouldn't turn back on by clicking on it or going into internet settings. Also, whenever I turned on my computer there was an icon for MS Antivirus 2009 on the bar by the time. I'd right click and tell it to close, and it would open some windows warning me not to, and I'd use the Task Manager to force it to close.
Every time I turn on or restart my computer, I run VirusScan On-Demand, Scanning Running Processes-Memory, and it always finds one infection that it identifies as Vundo, and says it's deleted, and when I tried searching for that file once it wasn't there, so I assume it was deleted. VirusScan doesn't find anything on the Local Drives, and I'm pretty sure Threatfire hasn't found anything in scans, at least since the Virusscan routine started. Twice the day before yesterday I ran VirusScan OnDemand-Running Processes-Memory and it would say it found one infection but didn't have a description like usual or information on whether it was deleted or not.
Last time I turned on my computer MS Antivirus 2009 wasn't running, but VirusScan On-Demand still found an infection, and had a description and said it was deleted.

I've been using a Computer Lab Computer for internet and downloads.

__________________________________

DDS.txt:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Christopher at 16:13:17.89 on Sun 03/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1273 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
H:\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {e13e0a87-7c16-e97b-90b4-3e7416556681}: {18665561-47e3-4b09-b79e-61c778a0e31e} - c:\windows\system32\qjnzyj.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcCVNET.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {868eaaeb-c6a0-473e-ab2d-0ad5d5e29423} - c:\windows\system32\rqRhfeca.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [updateMgr] "c:\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [3465c0e1] rundll32.exe "c:\windows\system32\ivdwxdpd.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\christopher\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxp://cscmail2.stkate.edu/dwa8W.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ddcCVNET - ddcCVNET.dll
AppInit_DLLs: qjnzyj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcCVNET.dll
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\rqRhfeca

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\308lk7t4.default\
FF - prefs.js: browser.search.selectedEngine - Facebook
FF - prefs.js: browser.startup.homepage - hxxp://www.stkate.edu/
FF - plugin: c:\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: c:\documents and settings\christopher\application data\mozilla\firefox\profiles\308lk7t4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-2-23 16640]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-15 28544]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-2-15 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-2-15 39200]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-9-3 58048]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-8-4 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-8-4 3904]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-9-3 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-9-22 28672]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-9-3 108256]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-2-15 33056]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-5-28 17149]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2008-6-16 362944]

=============== Created Last 30 ================

2009-03-01 15:40 268 a---h--- C:\sqmdata08.sqm
2009-03-01 15:40 244 a---h--- C:\sqmnoopt08.sqm
2009-02-28 01:16 268 a---h--- C:\sqmdata07.sqm
2009-02-28 01:16 244 a---h--- C:\sqmnoopt07.sqm
2009-02-27 13:58 268 a---h--- C:\sqmdata06.sqm
2009-02-27 13:58 244 a---h--- C:\sqmnoopt06.sqm
2009-02-27 13:44 733 a------- c:\windows\system32\uxrnelbs.dll
2009-02-27 13:44 731 a------- c:\windows\system32\rruamsff.dll
2009-02-27 13:41 711 a------- c:\windows\system32\jakxnjep.exe
2009-02-27 10:25 268 a---h--- C:\sqmdata05.sqm
2009-02-27 10:25 244 a---h--- C:\sqmnoopt05.sqm
2009-02-26 23:10 733 a------- c:\windows\system32\mrwctlcl.dll
2009-02-26 23:10 711 a------- c:\windows\system32\nopoolex.exe
2009-02-26 23:08 731 a------- c:\windows\system32\bgqqwymt.dll
2009-02-25 22:06 268 a---h--- C:\sqmdata04.sqm
2009-02-25 22:06 244 a---h--- C:\sqmnoopt04.sqm
2009-02-25 21:01 731 a------- c:\windows\system32\hluyjdqq.dll
2009-02-25 21:01 711 a------- c:\windows\system32\hgwekgyv.exe
2009-02-25 20:58 733 a------- c:\windows\system32\mdcrjseg.dll
2009-02-22 03:26 268 a---h--- C:\sqmdata03.sqm
2009-02-22 03:26 244 a---h--- C:\sqmnoopt03.sqm
2009-02-21 14:57 268 a---h--- C:\sqmdata02.sqm
2009-02-21 14:57 244 a---h--- C:\sqmnoopt02.sqm
2009-02-21 14:35 733 a------- c:\windows\system32\fbhhxeqj.dll
2009-02-21 14:35 711 a------- c:\windows\system32\saubqqid.exe
2009-02-21 14:33 731 a------- c:\windows\system32\yrexopjq.dll
2009-02-21 02:08 268 a---h--- C:\sqmdata01.sqm
2009-02-21 02:08 244 a---h--- C:\sqmnoopt01.sqm
2009-02-21 01:48 5,674,353 a------- c:\windows\pane L.rar
2009-02-20 15:03 268 a---h--- C:\sqmdata00.sqm
2009-02-20 15:03 244 a---h--- C:\sqmnoopt00.sqm
2009-02-20 13:27 733 a------- c:\windows\system32\ivjolhje.dll
2009-02-20 13:25 <DIR> --d----- c:\program files\Runtime Software
2009-02-20 13:24 305 a------- c:\windows\system32\wjaexfdg.exe
2009-02-20 13:22 731 a------- c:\windows\system32\obuxdckl.dll
2009-02-16 22:26 0 a------- c:\windows\system32\mcrh.tmp
2009-02-16 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-16 21:57 213,029 a------- c:\windows\system32\nyspfhrg.exe
2009-02-16 21:54 72,704 a------- c:\windows\system32\ivdwxdpd.dll
2009-02-16 21:51 129,024 a------- c:\windows\system32\qjnzyj.dll
2009-02-16 21:51 129,024 a------- c:\windows\system32\kujmwfgv.dll
2009-02-16 21:51 419 a--sh--- c:\windows\system32\acefhRqr.ini2
2009-02-16 21:51 419 a--sh--- c:\windows\system32\acefhRqr.ini
2009-02-16 21:51 302,592 a------- c:\windows\system32\rqRhfeca.dll
2009-02-15 22:13 129,024 a------- c:\windows\system32\teoyoqxu.dll
2009-02-15 22:13 129,024 a------- c:\windows\system32\efywki.dll
2009-02-15 22:11 <DIR> --d----- c:\program files\Cobian Backup 8
2009-02-15 21:02 <DIR> --d----- C:\VundoFix Backups
2009-02-15 17:58 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-02-15 17:58 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-02-15 17:58 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-02-15 17:58 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-02-15 17:58 <DIR> --d----- c:\program files\ThreatFire
2009-02-15 17:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-02-15 00:41 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-02-15 00:40 <DIR> --d----- c:\program files\Panda Security
2009-02-14 22:12 129,024 a------- c:\windows\system32\roceot.dll
2009-02-14 22:12 129,024 a------- c:\windows\system32\lmkjopky.dll
2009-02-14 22:09 30,530 a--sh--- c:\windows\system32\twaJPqru.ini
2009-02-14 22:09 600 a--sh--- c:\windows\system32\twaJPqru.ini2
2009-02-14 22:04 36,352 a------- c:\windows\system32\ddcCVNET.dll
2009-02-13 00:21 <DIR> --d----- c:\program files\Smith Micro
2009-01-31 22:42 <DIR> --d----- c:\windows\system32\scripting
2009-01-31 22:42 <DIR> --d----- c:\windows\system32\en
2009-01-31 22:42 <DIR> --d----- c:\windows\system32\bits
2009-01-31 22:42 <DIR> --d----- c:\windows\l2schemas
2009-01-31 22:40 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-03-01 16:12 44,160 a------- c:\docume~1\christ~1\applic~1\wklnhst.dat
2009-02-21 00:14 612,270,077 a------- c:\program files\Sierra.rar
2009-02-20 23:58 2,026,307 a------- c:\program files\NETGEAR.rar
2009-02-20 23:58 13,636,510 a------- c:\program files\NavDiag.rar
2009-02-20 23:57 10,234,657 a------- c:\program files\Mozilla Firefox.rar
2009-02-20 23:55 197,131,657 a------- c:\program files\Microsoft Visual Studio.rar
2009-02-20 23:17 2,543,114,606 a------- c:\program files\Guild Wars.rar
2009-02-20 22:39 154,533,197 a------- c:\program files\Corel Graphics 12.rar
2009-02-20 22:21 134,383,808 a------- c:\program files\Corel.rar
2009-02-20 22:18 256,824,110 a------- c:\program files\Common Files.rar
2009-02-13 03:17 114,376 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-31 22:43 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-17 13:53 1,851,544 a------- c:\program files\install_flash_player.exe
2007-08-04 14:46 362 a------- c:\program files\Shortcut to CheckIt.lnk
2006-02-28 13:08 3,217,896 a------- c:\program files\wbsamp.exe

============= FINISH: 16:14:09.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 07 March 2009 - 11:14 PM

Hello Ishiki,

Sorry for the delay. We have over 500 logs backed up on only a few helpers.

If you still need help, then please post a fresh DDS log and we will take it from there.

If no reply in two days I will close this thread.

Edited by SifuMike, 08 March 2009 - 10:34 AM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 10 March 2009 - 10:04 PM

new dds log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Christopher at 20:29:21.46 on Tue 03/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1377 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
H:\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {e13e0a87-7c16-e97b-90b4-3e7416556681}: {18665561-47e3-4b09-b79e-61c778a0e31e} - c:\windows\system32\qjnzyj.dll
BHO: {45fbcff9-7437-4685-a774-2c77a9a0d36f} - c:\windows\system32\rqRhfeca.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcCVNET.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [updateMgr] "c:\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [3465c0e1] rundll32.exe "c:\windows\system32\ivdwxdpd.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\christopher\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxp://cscmail2.stkate.edu/dwa8W.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ddcCVNET - ddcCVNET.dll
AppInit_DLLs: qjnzyj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcCVNET.dll
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\rqRhfeca

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-2-23 16640]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-15 28544]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-2-15 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-2-15 39200]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-9-3 58048]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-8-4 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-8-4 3904]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-9-3 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-9-22 28672]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-9-3 108256]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-2-15 33056]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-5-28 17149]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2008-6-16 362944]

=============== Created Last 30 ================

2009-03-10 20:27 121 ---sh--- c:\windows\system32\dpdxwdvi.ini
2009-03-01 16:40 268 a---h--- C:\sqmdata08.sqm
2009-03-01 16:40 244 a---h--- C:\sqmnoopt08.sqm
2009-02-28 02:16 268 a---h--- C:\sqmdata07.sqm
2009-02-28 02:16 244 a---h--- C:\sqmnoopt07.sqm
2009-02-27 14:58 268 a---h--- C:\sqmdata06.sqm
2009-02-27 14:58 244 a---h--- C:\sqmnoopt06.sqm
2009-02-27 14:44 733 a------- c:\windows\system32\uxrnelbs.dll
2009-02-27 14:44 731 a------- c:\windows\system32\rruamsff.dll
2009-02-27 14:41 711 a------- c:\windows\system32\jakxnjep.exe
2009-02-27 11:25 268 a---h--- C:\sqmdata05.sqm
2009-02-27 11:25 244 a---h--- C:\sqmnoopt05.sqm
2009-02-27 00:10 733 a------- c:\windows\system32\mrwctlcl.dll
2009-02-27 00:10 711 a------- c:\windows\system32\nopoolex.exe
2009-02-27 00:08 731 a------- c:\windows\system32\bgqqwymt.dll
2009-02-25 23:06 268 a---h--- C:\sqmdata04.sqm
2009-02-25 23:06 244 a---h--- C:\sqmnoopt04.sqm
2009-02-25 22:01 731 a------- c:\windows\system32\hluyjdqq.dll
2009-02-25 22:01 711 a------- c:\windows\system32\hgwekgyv.exe
2009-02-25 21:58 733 a------- c:\windows\system32\mdcrjseg.dll
2009-02-22 04:26 268 a---h--- C:\sqmdata03.sqm
2009-02-22 04:26 244 a---h--- C:\sqmnoopt03.sqm
2009-02-21 15:57 268 a---h--- C:\sqmdata02.sqm
2009-02-21 15:57 244 a---h--- C:\sqmnoopt02.sqm
2009-02-21 15:35 733 a------- c:\windows\system32\fbhhxeqj.dll
2009-02-21 15:35 711 a------- c:\windows\system32\saubqqid.exe
2009-02-21 15:33 731 a------- c:\windows\system32\yrexopjq.dll
2009-02-21 03:08 268 a---h--- C:\sqmdata01.sqm
2009-02-21 03:08 244 a---h--- C:\sqmnoopt01.sqm
2009-02-21 02:48 5,674,353 a------- c:\windows\pane L.rar
2009-02-20 16:03 268 a---h--- C:\sqmdata00.sqm
2009-02-20 16:03 244 a---h--- C:\sqmnoopt00.sqm
2009-02-20 14:27 733 a------- c:\windows\system32\ivjolhje.dll
2009-02-20 14:25 <DIR> --d----- c:\program files\Runtime Software
2009-02-20 14:24 305 a------- c:\windows\system32\wjaexfdg.exe
2009-02-20 14:22 731 a------- c:\windows\system32\obuxdckl.dll
2009-02-16 23:26 0 a------- c:\windows\system32\mcrh.tmp
2009-02-16 22:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-16 22:57 213,029 a------- c:\windows\system32\nyspfhrg.exe
2009-02-16 22:54 72,704 a------- c:\windows\system32\ivdwxdpd.dll
2009-02-16 22:51 129,024 a------- c:\windows\system32\qjnzyj.dll
2009-02-16 22:51 129,024 a------- c:\windows\system32\kujmwfgv.dll
2009-02-16 22:51 531 a--sh--- c:\windows\system32\acefhRqr.ini2
2009-02-16 22:51 419 a--sh--- c:\windows\system32\acefhRqr.ini
2009-02-16 22:51 302,592 a------- c:\windows\system32\rqRhfeca.dll
2009-02-15 23:13 129,024 a------- c:\windows\system32\teoyoqxu.dll
2009-02-15 23:13 129,024 a------- c:\windows\system32\efywki.dll
2009-02-15 23:11 <DIR> --d----- c:\program files\Cobian Backup 8
2009-02-15 22:02 <DIR> --d----- C:\VundoFix Backups
2009-02-15 18:58 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-02-15 18:58 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-02-15 18:58 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-02-15 18:58 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-02-15 18:58 <DIR> --d----- c:\program files\ThreatFire
2009-02-15 18:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-02-15 01:41 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-02-15 01:40 <DIR> --d----- c:\program files\Panda Security
2009-02-14 23:12 129,024 a------- c:\windows\system32\roceot.dll
2009-02-14 23:12 129,024 a------- c:\windows\system32\lmkjopky.dll
2009-02-14 23:09 30,530 a--sh--- c:\windows\system32\twaJPqru.ini
2009-02-14 23:09 600 a--sh--- c:\windows\system32\twaJPqru.ini2
2009-02-14 23:04 36,352 a------- c:\windows\system32\ddcCVNET.dll
2009-02-13 01:21 <DIR> --d----- c:\program files\Smith Micro

==================== Find3M ====================

2009-03-01 17:12 44,160 a------- c:\docume~1\christ~1\applic~1\wklnhst.dat
2009-02-21 01:14 612,270,077 a------- c:\program files\Sierra.rar
2009-02-21 00:58 2,026,307 a------- c:\program files\NETGEAR.rar
2009-02-21 00:58 13,636,510 a------- c:\program files\NavDiag.rar
2009-02-21 00:57 10,234,657 a------- c:\program files\Mozilla Firefox.rar
2009-02-21 00:55 197,131,657 a------- c:\program files\Microsoft Visual Studio.rar
2009-02-21 00:17 2,543,114,606 a------- c:\program files\Guild Wars.rar
2009-02-20 23:39 154,533,197 a------- c:\program files\Corel Graphics 12.rar
2009-02-20 23:21 134,383,808 a------- c:\program files\Corel.rar
2009-02-20 23:18 256,824,110 a------- c:\program files\Common Files.rar
2009-02-13 04:17 114,376 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-31 23:43 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-17 14:53 1,851,544 a------- c:\program files\install_flash_player.exe
2007-08-04 15:46 362 a------- c:\program files\Shortcut to CheckIt.lnk
2006-02-28 14:08 3,217,896 a------- c:\program files\wbsamp.exe

============= FINISH: 20:30:20.93 ===============

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 10 March 2009 - 10:09 PM

Is this a business or work computer?

If no reply in two days I will close this thread.

Edited by SifuMike, 10 March 2009 - 10:49 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 11 March 2009 - 11:55 AM

No, it's a personal computer, a desktop PC, custom built. C, D, and F are hard drives, E is cd/dvd drive, and G and H are removable memory.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 11 March 2009 - 06:42 PM

Hello Ishiki,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read  Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee VirusScan Enterprise before running ComboFix, as it will prevent it from running. <==== IMPORTANT


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Disconnect your internet connection cable from the computer while running ComboFix.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..

A caution -
Disconnect your internet connection cable from the computer while running ComboFix.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2009 - 07:08 PM

Combofix will not run on my computer.

I downloaded it on a school computer and if I click on the icon there it opens, but when I copy that to a usb drive and put it on my computer's desktop, it will not run.

I can't get McAfee VirusScan On-Access Scan off the task bar though. It says it's disabled. I right clicked and disabled it, and the icon says it's disabled, and I went in and deactivated and unchecked several things, but I can't make it entirely go away.

A search doesn't turn up any older files using the keyword combofix. It also doesn't find any Windows Recovery Console.

I've turned off Windows Firewall, and unplugged the internet cord.

I've tried with and without various programs that have icons by the time, like Windows Live Messenger, Sound Effect, Cisco Clean Access Agent.

I'm not sure if it's the Combofix doing it, but a few times I've gotten a Work Offline notification. I can select either Work Offline or Try Again and nothing happens.

So I don't know if it's Vundo doing it, or if there's something else in the way or missing, or what.

I've tried downloading Combofix from both BleepingComputer and Geekstogo.

Maybe the problem is that I can't download it directly to my desktop because i can't access the internet on my own computer. But I transfer it from the USB drive to my desktop.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 14 March 2009 - 07:22 PM

Hi,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2009 - 08:08 PM

This is also failing to install or run on my computer.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 14 March 2009 - 09:23 PM

Hi,

Time to use a different tool.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Root Kit Search section click on Yes.
  • Under Additional Scans click the EXTRAS button
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/207590/vundo-infection/?p=1178033
  • Click Browse and select the OTScanIT2 log
  • Under the comments section, say that SifuMike asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2009 - 10:54 PM

Both ran fine.

I have submitted the log.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 15 March 2009 - 07:33 PM

Hi,

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\acefhrqr.ini
%systemroot%\system32\acefhrqr.ini2
%systemroot%\system32\bgqqwymt.dll
%systemroot%\system32\ddccvnet.dll
%systemroot%\system32\efywki.dll
%systemroot%\system32\fbhhxeqj.dll
%systemroot%\system32\hgwekgyv.exe
%systemroot%\system32\hluyjdqq.dll
%systemroot%\system32\ivdwxdpd.dll
%systemroot%\system32\ivjolhje.dll
%systemroot%\system32\jakxnjep.exe
%systemroot%\system32\kujmwfgv.dll
%systemroot%\system32\lmkjopky.dll
%systemroot%\system32\mdcrjseg.dll
%systemroot%\system32\mrwctlcl.dll
%systemroot%\system32\nopoolex.exe
%systemroot%\system32\nyspfhrg.exe
%systemroot%\system32\obuxdckl.dll
%systemroot%\system32\qjnzyj.dll
%systemroot%\system32\roceot.dll
%systemroot%\system32\rqrhfeca.dll
%systemroot%\system32\rruamsff.dll
%systemroot%\system32\saubqqid.exe
%systemroot%\system32\teoyoqxu.dll
%systemroot%\system32\twajpqru.ini
%systemroot%\system32\twajpqru.ini2
%systemroot%\system32\uxrnelbs.dll
%systemroot%\system32\wjaexfdg.exe
%systemroot%\system32\yrexopjq.dll
%systemroot%\tasks\aswljrfx.job
%userprofile%\local settings\temp\_ad129.exe
%userprofile%\local settings\temp\bm_v.exe
Folders to delete:
%systemdrive%\vundofix backups

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {18665561-47e3-4b09-b79e-61c778a0e31e} [HKLM] -> %SystemRoot%\system32\qjnzyj.dll [Reg Error: Value error.]
YY -> {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} [HKLM] -> %SystemRoot%\system32\ddcCVNET.dll [Reg Error: Value error.]
YY -> {74823427-5265-4721-81EC-535998487AAE} [HKLM] -> %SystemRoot%\system32\rqRhfeca.dll [Reg Error: Value error.]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "3465c0e1" -> %SystemRoot%\system32\ivdwxdpd.DLL [rundll32.exe "C:\WINDOWS\system32\ivdwxdpd.dll",b]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> qjnzyj.dll -> %SystemRoot%\system32\qjnzyj.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> ddcCVNET -> %SystemRoot%\system32\ddcCVNET.dll
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" [HKLM] -> %SystemRoot%\system32\ddcCVNET.dll []
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\rqRhfeca -> %SystemRoot%\system32\rqRhfeca.dll
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\Christopher\Local Settings\Temp\I1179857127\Windows\NavDiag.exe" -> C:\Documents and Settings\Christopher\Local Settings\Temp\I1179857127\Windows\NavDiag.exe [C:\Documents and Settings\Christopher\Local Settings\Temp\I1179857127\Windows\NavDiag.exe:*:Enabled:LaunchAnywhere GUI]
[Files/Folders - Created Within 30 Days]
NY -> uxrnelbs.dll -> %SystemRoot%\System32\uxrnelbs.dll
NY -> rruamsff.dll -> %SystemRoot%\System32\rruamsff.dll
NY -> jakxnjep.exe -> %SystemRoot%\System32\jakxnjep.exe
NY -> mrwctlcl.dll -> %SystemRoot%\System32\mrwctlcl.dll
NY -> nopoolex.exe -> %SystemRoot%\System32\nopoolex.exe
NY -> bgqqwymt.dll -> %SystemRoot%\System32\bgqqwymt.dll
NY -> hluyjdqq.dll -> %SystemRoot%\System32\hluyjdqq.dll
NY -> hgwekgyv.exe -> %SystemRoot%\System32\hgwekgyv.exe
NY -> mdcrjseg.dll -> %SystemRoot%\System32\mdcrjseg.dll
NY -> fbhhxeqj.dll -> %SystemRoot%\System32\fbhhxeqj.dll
NY -> saubqqid.exe -> %SystemRoot%\System32\saubqqid.exe
NY -> yrexopjq.dll -> %SystemRoot%\System32\yrexopjq.dll
NY -> ivjolhje.dll -> %SystemRoot%\System32\ivjolhje.dll
NY -> wjaexfdg.exe -> %SystemRoot%\System32\wjaexfdg.exe
NY -> obuxdckl.dll -> %SystemRoot%\System32\obuxdckl.dll
NY -> nyspfhrg.exe -> %SystemRoot%\System32\nyspfhrg.exe
NY -> ivdwxdpd.dll -> %SystemRoot%\System32\ivdwxdpd.dll
NY -> qjnzyj.dll -> %SystemRoot%\System32\qjnzyj.dll
NY -> kujmwfgv.dll -> %SystemRoot%\System32\kujmwfgv.dll
NY -> acefhRqr.ini -> %SystemRoot%\System32\acefhRqr.ini
NY -> acefhRqr.ini2 -> %SystemRoot%\System32\acefhRqr.ini2
NY -> rqRhfeca.dll -> %SystemRoot%\System32\rqRhfeca.dll
NY -> teoyoqxu.dll -> %SystemRoot%\System32\teoyoqxu.dll
NY -> efywki.dll -> %SystemRoot%\System32\efywki.dll
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> roceot.dll -> %SystemRoot%\System32\roceot.dll
NY -> lmkjopky.dll -> %SystemRoot%\System32\lmkjopky.dll
NY -> twaJPqru.ini -> %SystemRoot%\System32\twaJPqru.ini
NY -> twaJPqru.ini2 -> %SystemRoot%\System32\twaJPqru.ini2
NY -> aswljrfx.job -> %SystemRoot%\tasks\aswljrfx.job
NY -> ddcCVNET.dll -> %SystemRoot%\System32\ddcCVNET.dll
[Files/Folders - Modified Within 30 Days]
NY -> 14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> acefhRqr.ini -> %SystemRoot%\System32\acefhRqr.ini
NY -> acefhRqr.ini2 -> %SystemRoot%\System32\acefhRqr.ini2
NY -> uxrnelbs.dll -> %SystemRoot%\System32\uxrnelbs.dll
NY -> rruamsff.dll -> %SystemRoot%\System32\rruamsff.dll
NY -> jakxnjep.exe -> %SystemRoot%\System32\jakxnjep.exe
NY -> mrwctlcl.dll -> %SystemRoot%\System32\mrwctlcl.dll
NY -> nopoolex.exe -> %SystemRoot%\System32\nopoolex.exe
NY -> bgqqwymt.dll -> %SystemRoot%\System32\bgqqwymt.dll
NY -> hluyjdqq.dll -> %SystemRoot%\System32\hluyjdqq.dll
NY -> hgwekgyv.exe -> %SystemRoot%\System32\hgwekgyv.exe
NY -> mdcrjseg.dll -> %SystemRoot%\System32\mdcrjseg.dll
NY -> fbhhxeqj.dll -> %SystemRoot%\System32\fbhhxeqj.dll
NY -> saubqqid.exe -> %SystemRoot%\System32\saubqqid.exe
NY -> yrexopjq.dll -> %SystemRoot%\System32\yrexopjq.dll
NY -> ivjolhje.dll -> %SystemRoot%\System32\ivjolhje.dll
NY -> wjaexfdg.exe -> %SystemRoot%\System32\wjaexfdg.exe
NY -> obuxdckl.dll -> %SystemRoot%\System32\obuxdckl.dll
NY -> _ad129.exe -> %UserProfile%\Local Settings\Temp\_ad129.exe
NY -> bm_v.exe -> %UserProfile%\Local Settings\Temp\bm_v.exe
NY -> nyspfhrg.exe -> %SystemRoot%\System32\nyspfhrg.exe
NY -> ivdwxdpd.dll -> %SystemRoot%\System32\ivdwxdpd.dll
NY -> qjnzyj.dll -> %SystemRoot%\System32\qjnzyj.dll
NY -> kujmwfgv.dll -> %SystemRoot%\System32\kujmwfgv.dll
NY -> rqRhfeca.dll -> %SystemRoot%\System32\rqRhfeca.dll
NY -> twaJPqru.ini -> %SystemRoot%\System32\twaJPqru.ini
NY -> twaJPqru.ini2 -> %SystemRoot%\System32\twaJPqru.ini2
NY -> teoyoqxu.dll -> %SystemRoot%\System32\teoyoqxu.dll
NY -> efywki.dll -> %SystemRoot%\System32\efywki.dll
NY -> lmkjopky.dll -> %SystemRoot%\System32\lmkjopky.dll
NY -> ddcCVNET.dll -> %SystemRoot%\System32\ddcCVNET.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Run a new OTScanIt2 scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Under Additional Scans click the Extra button
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here:
The Avenger report (c:\Avenger.txt). This will be a short report, so you will be able to post it.

The latest OTScanIt2 fix log (look in the OTScanIt2 folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. ) This will be a short log, so you will be able to post it.

The new OTScanIt2 scan log. This should be a short log, so you should be able to post it. If the file is too big to post, then you can upload it to me here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 15 March 2009 - 08:43 PM

I was able to complete steps 1 and 2 only, because my computer is not able to access the internet (since shortly after it was infected).

Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACvxsdpxwp.sys
Start Type: 1 (System)

Rootkit scan completed.

File "C:\WINDOWS\system32\acefhrqr.ini" deleted successfully.
File "C:\WINDOWS\system32\acefhrqr.ini2" deleted successfully.
File "C:\WINDOWS\system32\bgqqwymt.dll" deleted successfully.
File "C:\WINDOWS\system32\ddccvnet.dll" deleted successfully.
File "C:\WINDOWS\system32\efywki.dll" deleted successfully.
File "C:\WINDOWS\system32\fbhhxeqj.dll" deleted successfully.
File "C:\WINDOWS\system32\hgwekgyv.exe" deleted successfully.
File "C:\WINDOWS\system32\hluyjdqq.dll" deleted successfully.
File "C:\WINDOWS\system32\ivdwxdpd.dll" deleted successfully.
File "C:\WINDOWS\system32\ivjolhje.dll" deleted successfully.
File "C:\WINDOWS\system32\jakxnjep.exe" deleted successfully.
File "C:\WINDOWS\system32\kujmwfgv.dll" deleted successfully.
File "C:\WINDOWS\system32\lmkjopky.dll" deleted successfully.
File "C:\WINDOWS\system32\mdcrjseg.dll" deleted successfully.
File "C:\WINDOWS\system32\mrwctlcl.dll" deleted successfully.
File "C:\WINDOWS\system32\nopoolex.exe" deleted successfully.
File "C:\WINDOWS\system32\nyspfhrg.exe" deleted successfully.
File "C:\WINDOWS\system32\obuxdckl.dll" deleted successfully.
File "C:\WINDOWS\system32\qjnzyj.dll" deleted successfully.
File "C:\WINDOWS\system32\roceot.dll" deleted successfully.
File "C:\WINDOWS\system32\rqrhfeca.dll" deleted successfully.
File "C:\WINDOWS\system32\rruamsff.dll" deleted successfully.
File "C:\WINDOWS\system32\saubqqid.exe" deleted successfully.
File "C:\WINDOWS\system32\teoyoqxu.dll" deleted successfully.
File "C:\WINDOWS\system32\twajpqru.ini" deleted successfully.
File "C:\WINDOWS\system32\twajpqru.ini2" deleted successfully.
File "C:\WINDOWS\system32\uxrnelbs.dll" deleted successfully.
File "C:\WINDOWS\system32\wjaexfdg.exe" deleted successfully.
File "C:\WINDOWS\system32\yrexopjq.dll" deleted successfully.
File "C:\WINDOWS\tasks\aswljrfx.job" deleted successfully.
File "C:\Documents and Settings\Christopher\local settings\temp\_ad129.exe" deleted successfully.
File "C:\Documents and Settings\Christopher\local settings\temp\bm_v.exe" deleted successfully.
Folder "C:\vundofix backups" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#14 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 15 March 2009 - 08:44 PM

Here's the OTScanIt2 log (Step 2):

Process Explorer.EXE killed successfully!
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18665561-47e3-4b09-b79e-61c778a0e31e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18665561-47e3-4b09-b79e-61c778a0e31e}\ deleted successfully.
File C:\WINDOWS\system32\qjnzyj.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ deleted successfully.
File C:\WINDOWS\system32\ddcCVNET.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74823427-5265-4721-81EC-535998487AAE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74823427-5265-4721-81EC-535998487AAE}\ not found.
File C:\WINDOWS\system32\rqRhfeca.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\3465c0e1 deleted successfully.
File C:\WINDOWS\system32\ivdwxdpd.DLL not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:qjnzyj.dll deleted successfully.
File C:\WINDOWS\system32\qjnzyj.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcCVNET\ deleted successfully.
File C:\WINDOWS\system32\ddcCVNET.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ not found.
File C:\WINDOWS\system32\ddcCVNET.dll not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\rqRhfeca deleted successfully.
File C:\WINDOWS\system32\rqRhfeca.dll not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Christopher\Local Settings\Temp\I1179857127\Windows\NavDiag.exe deleted successfully.
[Files/Folders - Created Within 30 Days]
File C:\WINDOWS\System32\uxrnelbs.dll not found!
File C:\WINDOWS\System32\rruamsff.dll not found!
File C:\WINDOWS\System32\jakxnjep.exe not found!
File C:\WINDOWS\System32\mrwctlcl.dll not found!
File C:\WINDOWS\System32\nopoolex.exe not found!
File C:\WINDOWS\System32\bgqqwymt.dll not found!
File C:\WINDOWS\System32\hluyjdqq.dll not found!
File C:\WINDOWS\System32\hgwekgyv.exe not found!
File C:\WINDOWS\System32\mdcrjseg.dll not found!
File C:\WINDOWS\System32\fbhhxeqj.dll not found!
File C:\WINDOWS\System32\saubqqid.exe not found!
File C:\WINDOWS\System32\yrexopjq.dll not found!
File C:\WINDOWS\System32\ivjolhje.dll not found!
File C:\WINDOWS\System32\wjaexfdg.exe not found!
File C:\WINDOWS\System32\obuxdckl.dll not found!
File C:\WINDOWS\System32\nyspfhrg.exe not found!
File C:\WINDOWS\System32\ivdwxdpd.dll not found!
File C:\WINDOWS\System32\qjnzyj.dll not found!
File C:\WINDOWS\System32\kujmwfgv.dll not found!
File C:\WINDOWS\System32\acefhRqr.ini not found!
File C:\WINDOWS\System32\acefhRqr.ini2 not found!
File C:\WINDOWS\System32\rqRhfeca.dll not found!
File C:\WINDOWS\System32\teoyoqxu.dll not found!
File C:\WINDOWS\System32\efywki.dll not found!
File C:\VundoFix Backups not found!
File C:\WINDOWS\System32\roceot.dll not found!
File C:\WINDOWS\System32\lmkjopky.dll not found!
File C:\WINDOWS\System32\twaJPqru.ini not found!
File C:\WINDOWS\System32\twaJPqru.ini2 not found!
File C:\WINDOWS\tasks\aswljrfx.job not found!
File C:\WINDOWS\System32\ddcCVNET.dll not found!
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\LMI41.tmp folder deleted successfully.
C:\WINDOWS\LMI44.tmp folder deleted successfully.
C:\WINDOWS\LMI50.tmp folder deleted successfully.
C:\WINDOWS\LMIAE.tmp folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
File C:\WINDOWS\System32\acefhRqr.ini not found!
File C:\WINDOWS\System32\acefhRqr.ini2 not found!
File C:\WINDOWS\System32\uxrnelbs.dll not found!
File C:\WINDOWS\System32\rruamsff.dll not found!
File C:\WINDOWS\System32\jakxnjep.exe not found!
File C:\WINDOWS\System32\mrwctlcl.dll not found!
File C:\WINDOWS\System32\nopoolex.exe not found!
File C:\WINDOWS\System32\bgqqwymt.dll not found!
File C:\WINDOWS\System32\hluyjdqq.dll not found!
File C:\WINDOWS\System32\hgwekgyv.exe not found!
File C:\WINDOWS\System32\mdcrjseg.dll not found!
File C:\WINDOWS\System32\fbhhxeqj.dll not found!
File C:\WINDOWS\System32\saubqqid.exe not found!
File C:\WINDOWS\System32\yrexopjq.dll not found!
File C:\WINDOWS\System32\ivjolhje.dll not found!
File C:\WINDOWS\System32\wjaexfdg.exe not found!
File C:\WINDOWS\System32\obuxdckl.dll not found!
File C:\Documents and Settings\Christopher\Local Settings\Temp\_ad129.exe not found!
File C:\Documents and Settings\Christopher\Local Settings\Temp\bm_v.exe not found!
File C:\WINDOWS\System32\nyspfhrg.exe not found!
File C:\WINDOWS\System32\ivdwxdpd.dll not found!
File C:\WINDOWS\System32\qjnzyj.dll not found!
File C:\WINDOWS\System32\kujmwfgv.dll not found!
File C:\WINDOWS\System32\rqRhfeca.dll not found!
File C:\WINDOWS\System32\twaJPqru.ini not found!
File C:\WINDOWS\System32\twaJPqru.ini2 not found!
File C:\WINDOWS\System32\teoyoqxu.dll not found!
File C:\WINDOWS\System32\efywki.dll not found!
File C:\WINDOWS\System32\lmkjopky.dll not found!
File C:\WINDOWS\System32\ddcCVNET.dll not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Christopher\Local Settings\Temp\~DFA1A.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.8.0 fix logfile created on 03152009_200604

Files moved on Reboot...
C:\Documents and Settings\Christopher\Local Settings\Temp\~DFA1A.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#15 Ishiki

Ishiki
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 15 March 2009 - 08:56 PM

Window at startup after avenger logfile opened:


______________________________________________
RUNDLL | X |
______________________________________________
Error loading C:\WINDOWS\system32\ivdwxdpd.dll

The specified module could not be found.
__________
| OK |
_______________________________________________



Then I ran OTScanIt2

....

After that I went into Network Connections to enable connections, but dial-up Connection says Unavailable- device missing

When I try to log onto Cisco Clean Access Agent, I get this window:


________________________________________________________
Windows API Error | X |
________________________________________________________

An error occured while calling the last Windows API function.
Below is the error information:

Error Number= 2
Error Description= The system cannot find the file specified.
_____________
| OK |
_________________________________________________________



after i click ok, I get this window:


___________________________
Cisco Clean Access Agent | X |
___________________________

string error
_______ ________
| Yes | | No |
___________________________



selecting No sends me back to the previous window, where I click OK again, and it closes and the Cisco Clean Access Agent main window changes and says:



Network Error !

Detail: The system cannot find the file specified.[2]

and the only button says Close


...

When I try again, I get the first window, click OK, and the second, and click Yes, and get this window:

_____________________________________________________________________
Security Alert | X |
_____________________________________________________________________

Revocation information for the security certificate for this site is not available.
Do you want to proceed?

______ ______ ______________
| Yes | | No | | View Certificate |
______________________________________________________________________




I click yes and am granted temporary access because my system does not meet the requirements.

I click Continue

The next window says:

_______
Please download and install the required windows updates before accessing the network.

Required Software

Name: Windows Update Service
Description: launches windows updates
______


I click Update.

The window stays the same, but red text appears above the buttons:

Could not contact Windows Updates server. Please verify your network connection.


so I cancel all that

I unblock Windows Firewall and Automatic Updates and try again.

now I don't get any error messages on Cisco, but when I click update, it says:


Checking and installing Windows Updates. Please Wait...


and then


Failed to install Windows Updates




~~~~~~~~~~~~~~~~~~~~~

So, I'm not able to get online to do the online scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users