Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Vundo / Trojan Downloader Agent BQXC


  • This topic is locked This topic is locked
22 replies to this topic

#1 eahwal

eahwal

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 09 May 2009 - 12:34 AM

Hi everyone,

The problem I have is extra browser windows with ads show up when I am online. It looks like I was infected by the Vundo virus. I ran Malwarebyte's which detected it, but removing it did not work (it showed up again on the next reboot). Spybot Doctor detected Trojan Downloader Agent BQXC. I'm hoping you guys can help me!

The DDS script does not work on my operating system apparently ( I am on 64 bit XP), so I have posted just the HJT log. This is my first time posting, so let me know if I got something wrong!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:57 PM, on 5/8/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~2\SYMANT~1\VPTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\BroadJump\Client Foundation\CFD.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\HJT\HijackThis.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesear...esearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customse...msearch-en.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1fcad562-a946-4642-8d4c-f6f04c467ef5} - C:\WINDOWS\SysWow64\mojujebu.dll
O2 - BHO: IEAux Class - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - C:\PROGRA~1\OCINS\ieaux.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\SysWow64\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files (x86)\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [CPM57398cc3] Rundll32.exe "c:\windows\system32\nofijoke.dll",a
O4 - HKLM\..\Run: [jabipapobe] Rundll32.exe "C:\WINDOWS\system32\tesirolo.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files (x86)\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files (x86)\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Access Internet Keyword - C:\Program Files\OCINS\cnrbtn.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Chinese Navigation - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://games.asobrain.com
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://my.mofo.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127896034687
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9612E0F-4E33-4256-992C-59F64729C59E} (SpellChecker.CheckSpelling) - https://synergy.deloitte.com/SpellChecker.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ c:\windows\system32\nofijoke.dll,C:\WINDOWS\system32\guvebosa.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\nofijoke.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\SysWow64\nofijoke.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9887 bytes

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:18 PM

Posted 23 May 2009 - 09:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 eahwal

eahwal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 24 May 2009 - 03:28 AM

Thanks for responding! When I run the DDS script it says "This tool does not support your operating system". I am on 64 bit Windows XP. Is there another way I can run the tool?

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:18 PM

Posted 24 May 2009 - 01:43 PM

Hello,

Since DDS won't run, please try this:

Download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Please post that log in your next reply.
If RSIT did not work, please let us know in your next reply.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 eahwal

eahwal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 25 May 2009 - 03:51 AM

Hello,

Thanks for your patience. Unfortunately RSIT does not work. I get:

Autolt Error
Line -1:
Error: Variable used without being declared

I hit "ok" the only option, and the program ends.

Not sure if this is helpful, but I also tried runscanner, and it does not work on my operating system, since it is 64 bit. Sorry for causing chaos! Let me know what else I should try.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 25 May 2009 - 06:21 AM

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE



Please download CCleaner and save it to your Desktop.
  • Run the installer, and uncheck the option to install Yahoo Toolbar (unless you want Yahoo Toolbar).
  • Once installed, run CCleaner, click the Windows [tab]
  • The following should be selected by default, if not, please select:
    Posted Image
  • Then click Run Cleaner (bottom right).. Let it scan until finish. After that click Exit


Now download OTS by OldTimer and save it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Run OTS.exe (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to WhiteList/File Age
  • At the bottom, tick on all Use WhiteList and Include All Unicode Names option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
    • Reg - Drivers32
      Reg - IE Explorer Bars
      Reg - NetSvcs
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..

Edited by fenzodahl512, 25 May 2009 - 06:23 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 eahwal

eahwal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 25 May 2009 - 10:22 PM

I ran ERUNT, CClearner, and OST.

Attached is my OST.txt log

Thanks!

Attached Files

  • Attached File  OTS.Txt   212.49KB   12 downloads


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 25 May 2009 - 10:57 PM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Drivers to delete:
cnprov
idnaux

Files to delete:
c:\documents and settings\administrator\desktop\runscanner.exe
c:\documents and settings\administrator\desktop\sdfix.exe
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
c:\windows\system32\drivers\cnprov.sys
c:\windows\syswow64\bikehizi.dll
c:\windows\syswow64\drivers\idnaux.sys
c:\windows\syswow64\fasapako.exe
c:\windows\syswow64\fejuvizo.dll
c:\windows\syswow64\gayobute
c:\windows\syswow64\guvebosa.dll
c:\windows\syswow64\hikenile.exe
c:\windows\syswow64\hudiyili.dll
c:\windows\syswow64\hukovefo.dll
c:\windows\syswow64\mojujebu.dll
c:\windows\syswow64\nofijoke.dll
c:\windows\syswow64\parahuri.dll
c:\windows\syswow64\pidizowi.dll
c:\windows\syswow64\sosafuji.exe
c:\windows\syswow64\tanetezo.dll
c:\windows\syswow64\tazofehu.dll
c:\windows\syswow64\tesirolo.dll
c:\windows\syswow64\wayebomi.exe
c:\windows\syswow64\wisepale.dll
c:\windows\syswow64\wuhomuro.dll

Folders to delete:
c:\documents and settings\administrator\local settings\application data\runscanner.net
c:\vundofix backups

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.



NEXT


Run OTS.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

Copy/Paste the information in the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Driver Services - Safe List]
YY -> (cnprov) cnprov [Kernel | Boot | Stopped] -> C:\WINDOWS\system32\drivers\cnprov.sys
YY -> (idnaux) idnaux [Kernel | Auto | Stopped] -> C:\WINDOWS\SysWow64\drivers\idnaux.sys
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "CPM57398cc3" -> C:\WINDOWS\SysWow64\wisepale.DLL [Rundll32.exe "c:\windows\system32\wisepale.dll",a]
YY -> "jabipapobe" -> C:\WINDOWS\SysWow64\tesirolo.DLL [Rundll32.exe "C:\WINDOWS\system32\tesirolo.dll",s]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\guvebosa.dll -> C:\WINDOWS\SysWow64\guvebosa.dll
YY -> c:\windows\system32\wisepale.dll -> C:\WINDOWS\SysWow64\wisepale.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> c:\windows\SysWow64\wisepale.dll [SSODL]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> c:\windows\SysWow64\wisepale.dll [STS]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files (x86)\Symantec AntiVirus\VPC32.exe" -> C:\Program Files (x86)\Symantec AntiVirus\VPC32.exe [C:\Program Files (x86)\Symantec AntiVirus\VPC32.exe:*:Disabled:vpc32]
[Files/Folders - Created Within 90 Days]
NY -> Runscanner.net -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Runscanner.net
NY -> RunScanner.exe -> C:\Documents and Settings\Administrator\Desktop\RunScanner.exe
NY -> SDFix.exe -> C:\Documents and Settings\Administrator\Desktop\SDFix.exe
NY -> VundoFix Backups -> C:\VundoFix Backups
NY -> wisepale.dll -> C:\WINDOWS\SysWow64\wisepale.dll
NY -> parahuri.dll -> C:\WINDOWS\SysWow64\parahuri.dll
NY -> pidizowi.dll -> C:\WINDOWS\SysWow64\pidizowi.dll
NY -> hukovefo.dll -> C:\WINDOWS\SysWow64\hukovefo.dll
NY -> fejuvizo.dll -> C:\WINDOWS\SysWow64\fejuvizo.dll
NY -> wuhomuro.dll -> C:\WINDOWS\SysWow64\wuhomuro.dll
NY -> tesirolo.dll -> C:\WINDOWS\SysWow64\tesirolo.dll
NY -> mojujebu.dll -> C:\WINDOWS\SysWow64\mojujebu.dll
NY -> guvebosa.dll -> C:\WINDOWS\SysWow64\guvebosa.dll
NY -> nofijoke.dll -> C:\WINDOWS\SysWow64\nofijoke.dll
NY -> bikehizi.dll -> C:\WINDOWS\SysWow64\bikehizi.dll
NY -> tazofehu.dll -> C:\WINDOWS\SysWow64\tazofehu.dll
NY -> hudiyili.dll -> C:\WINDOWS\SysWow64\hudiyili.dll
NY -> tanetezo.dll -> C:\WINDOWS\SysWow64\tanetezo.dll
[Files/Folders - Modified Within 90 Days]
NY -> gayobute -> C:\WINDOWS\SysWow64\gayobute
NY -> wisepale.dll -> C:\WINDOWS\SysWow64\wisepale.dll
NY -> parahuri.dll -> C:\WINDOWS\SysWow64\parahuri.dll
NY -> pidizowi.dll -> C:\WINDOWS\SysWow64\pidizowi.dll
NY -> hukovefo.dll -> C:\WINDOWS\SysWow64\hukovefo.dll
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> fejuvizo.dll -> C:\WINDOWS\SysWow64\fejuvizo.dll
NY -> wuhomuro.dll -> C:\WINDOWS\SysWow64\wuhomuro.dll
NY -> tazofehu.dll -> C:\WINDOWS\SysWow64\tazofehu.dll
NY -> bikehizi.dll -> C:\WINDOWS\SysWow64\bikehizi.dll
NY -> nofijoke.dll -> C:\WINDOWS\SysWow64\nofijoke.dll
NY -> hudiyili.dll -> C:\WINDOWS\SysWow64\hudiyili.dll
NY -> fasapako.exe -> C:\WINDOWS\SysWow64\fasapako.exe
NY -> hikenile.exe -> C:\WINDOWS\SysWow64\hikenile.exe
NY -> tanetezo.dll -> C:\WINDOWS\SysWow64\tanetezo.dll
NY -> wayebomi.exe -> C:\WINDOWS\SysWow64\wayebomi.exe
NY -> sosafuji.exe -> C:\WINDOWS\SysWow64\sosafuji.exe
[Alternate Data Streams]
NY -> @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
NY -> @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
[Purity]
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here. I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 eahwal

eahwal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 25 May 2009 - 11:18 PM

I run avenger but get an error. I think because I am on 64 bit XP.

"Fatal error: unsupported version of Windows! This program will only run on Windows 2000, XP, or Vista. Existing now!"

Let me know if I should still run OTS.exe, thanks!

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 26 May 2009 - 12:06 AM

Proceed with the next step :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 eahwal

eahwal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 26 May 2009 - 02:19 AM

Hi again,

I ran the OTS.exe fix, and the log is below. At this point, I am still getting random popups. Also, when I reboot my computer I got a run DLL error popup. Unfortunately, I dismissed it immediately out of habit, but I believe it was something trying to run "tesirolo.DLL" and saying that the file was not found. Thanks so much for your help!

No active process named Explorer.EXE was found!
[Driver Services - Safe List]
Service cnprov stopped successfully!
Service cnprov deleted successfully!
C:\WINDOWS\system32\drivers\cnprov.sys moved successfully.
Service idnaux stopped successfully!
Service idnaux deleted successfully!
C:\WINDOWS\SysWow64\drivers\idnaux.sys moved successfully.
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CPM57398cc3 deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\wisepale.DLL
C:\WINDOWS\SysWow64\wisepale.DLL NOT unregistered.
C:\WINDOWS\SysWow64\wisepale.DLL moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\jabipapobe deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\tesirolo.DLL
C:\WINDOWS\SysWow64\tesirolo.DLL NOT unregistered.
C:\WINDOWS\SysWow64\tesirolo.DLL moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\guvebosa.dll deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\guvebosa.dll
C:\WINDOWS\SysWow64\guvebosa.dll NOT unregistered.
C:\WINDOWS\SysWow64\guvebosa.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\wisepale.dll deleted successfully.
File C:\WINDOWS\SysWow64\wisepale.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SSODL deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ deleted successfully.
File c:\windows\SysWow64\wisepale.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ deleted successfully.
File c:\windows\SysWow64\wisepale.dll not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files (x86)\Symantec AntiVirus\VPC32.exe deleted successfully.
[Files/Folders - Created Within 90 Days]
C:\Documents and Settings\Administrator\Local Settings\Application Data\Runscanner.net\Backups folder moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Runscanner.net folder moved successfully.
C:\Documents and Settings\Administrator\Desktop\RunScanner.exe moved successfully.
C:\Documents and Settings\Administrator\Desktop\SDFix.exe moved successfully.
C:\VundoFix Backups folder moved successfully.
File C:\WINDOWS\SysWow64\wisepale.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\parahuri.dll
C:\WINDOWS\SysWow64\parahuri.dll NOT unregistered.
C:\WINDOWS\SysWow64\parahuri.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\pidizowi.dll
C:\WINDOWS\SysWow64\pidizowi.dll NOT unregistered.
C:\WINDOWS\SysWow64\pidizowi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\hukovefo.dll
C:\WINDOWS\SysWow64\hukovefo.dll NOT unregistered.
C:\WINDOWS\SysWow64\hukovefo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\fejuvizo.dll
C:\WINDOWS\SysWow64\fejuvizo.dll NOT unregistered.
C:\WINDOWS\SysWow64\fejuvizo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\wuhomuro.dll
C:\WINDOWS\SysWow64\wuhomuro.dll NOT unregistered.
C:\WINDOWS\SysWow64\wuhomuro.dll moved successfully.
File C:\WINDOWS\SysWow64\tesirolo.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\mojujebu.dll
C:\WINDOWS\SysWow64\mojujebu.dll NOT unregistered.
C:\WINDOWS\SysWow64\mojujebu.dll moved successfully.
File C:\WINDOWS\SysWow64\guvebosa.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\nofijoke.dll
C:\WINDOWS\SysWow64\nofijoke.dll NOT unregistered.
C:\WINDOWS\SysWow64\nofijoke.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\bikehizi.dll
C:\WINDOWS\SysWow64\bikehizi.dll NOT unregistered.
C:\WINDOWS\SysWow64\bikehizi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\tazofehu.dll
C:\WINDOWS\SysWow64\tazofehu.dll NOT unregistered.
C:\WINDOWS\SysWow64\tazofehu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\hudiyili.dll
C:\WINDOWS\SysWow64\hudiyili.dll NOT unregistered.
C:\WINDOWS\SysWow64\hudiyili.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SysWow64\tanetezo.dll
C:\WINDOWS\SysWow64\tanetezo.dll NOT unregistered.
C:\WINDOWS\SysWow64\tanetezo.dll moved successfully.
[Files/Folders - Modified Within 90 Days]
C:\WINDOWS\SysWow64\gayobute moved successfully.
File C:\WINDOWS\SysWow64\wisepale.dll not found!
File C:\WINDOWS\SysWow64\parahuri.dll not found!
File C:\WINDOWS\SysWow64\pidizowi.dll not found!
File C:\WINDOWS\SysWow64\hukovefo.dll not found!
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
File C:\WINDOWS\SysWow64\fejuvizo.dll not found!
File C:\WINDOWS\SysWow64\wuhomuro.dll not found!
File C:\WINDOWS\SysWow64\tazofehu.dll not found!
File C:\WINDOWS\SysWow64\bikehizi.dll not found!
File C:\WINDOWS\SysWow64\nofijoke.dll not found!
File C:\WINDOWS\SysWow64\hudiyili.dll not found!
C:\WINDOWS\SysWow64\fasapako.exe moved successfully.
C:\WINDOWS\SysWow64\hikenile.exe moved successfully.
File C:\WINDOWS\SysWow64\tanetezo.dll not found!
C:\WINDOWS\SysWow64\wayebomi.exe moved successfully.
C:\WINDOWS\SysWow64\sosafuji.exe moved successfully.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_egxr8XHvZvDD4bZ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_KiGNuoanb29zmtE scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF643.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTS by OldTimer - Version 3.0.2.5 fix logfile created on 05262009_001028

Files moved on Reboot...
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
File C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_egxr8XHvZvDD4bZ not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_KiGNuoanb29zmtE not found!
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF643.tmp moved successfully.

Registry entries deleted on Reboot...

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 26 May 2009 - 03:09 AM

Please download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Then run OTS once again.. Post these logs in your next reply..

1. SUPERAntiSpyware
2. Attach OTS log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 eahwal

eahwal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 26 May 2009 - 06:20 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2009 at 03:45 AM

Application Version : 4.26.1002

Core Rules Database Version : 3909
Trace Rules Database Version: 1853

Scan type : Complete Scan
Total Scan Time : 02:11:08

Memory items scanned : 342
Memory threats detected : 1
Registry items scanned : 5955
Registry threats detected : 7
File items scanned : 136315
File threats detected : 34

Adware.Vundo/Variant-MMIO
C:\WINDOWS\SYSTEM32\TUZOYONO.DLL
C:\WINDOWS\SYSTEM32\TUZOYONO.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP538\A0074986.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\FEJUVIZO.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\NOFIJOKE.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\PIDIZOWI.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\WISEPALE.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSWOW64\TUZOYONO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Trojan.CNNIC/Variant
C:\PROGRAM FILES\CNNIC\CDN\CDNUP.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074850.SYS

Adware.Vundo/Variant-81k
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP535\A0074797.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074812.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074890.DLL
C:\WINDOWS\SYSTEM32\GOPAFUSA.DLL
C:\WINDOWS\SYSWOW64\GOPAFUSA.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\BIKEHIZI.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\HUDIYILI.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\HUKOVEFO.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\PARAHURI.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\WUHOMURO.DLL

Adware.Vundo/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074804.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074805.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074810.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074811.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP536\A0074891.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9E243E-1541-4A4D-8D3A-4E4F5F942FD1}\RP538\A0075001.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\GUVEBOSA.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\MOJUJEBU.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\TANETEZO.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\TAZOFEHU.DLL
C:\_OTS\MOVEDFILES\05262009_001028\C_WINDOWS\SYSWOW64\TESIROLO.DLL

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\AZIPCONTMN.DLL
C:\WINDOWS\SYSTEM32\SYSFOLDERAZIPCNT.DLL
C:\WINDOWS\SYSWOW64\AZIPCONTMN.DLL
C:\WINDOWS\SYSWOW64\SYSFOLDERAZIPCNT.DLL

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 26 May 2009 - 09:42 PM

Hi, please run OTS once again as you did first time and post the log here for my review :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 eahwal

eahwal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 26 May 2009 - 10:04 PM

Oops I messed up the upload. Hopefully this works!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users