Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed VUNDO, Suspicious File oxihupof.dll Remains


  • Please log in to reply
3 replies to this topic

#1 zeisan

zeisan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 14 January 2010 - 10:35 AM

I successfuly removed a VUNDO infection with Malwarebytes anti-malware. I followed up with a scan from the company's anti-virus solution, Symantec Endpoint Protection, and everything seemed clear. I checked the process list, everything looks clean.

Going through the startup list, I found a suspicious file: oxyhupof.dll.

I unchecked the entry and moved the file to another folder, renaming it to a random phrase and extension. I googled for the file name and searched several file lists, including the one on this site, but no one can confirm whether this is a good or bad file.

From my experience, it behaves like malware. When i unchecked the file in the MSCONFIG startup list and rebooted, it added a new entry. I searched through my registry and found an entry in HKEY CURRENT USER/software/microsoft/shared tools/msconfig/startupreg/fxaqo .

Anyone have any experience with this certain file?

This is my first post and I am pressed for time, so I apologize if I do not adhere to the proper Bleeping Protocol. I will attach the file if requested.
Zeisan

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:29 AM

Posted 14 January 2010 - 11:31 AM

Hello zeisan and :thumbsup: to BleepingComputer.

Going through the startup list, I found a suspicious file: oxyhupof.dll.

I unchecked the entry and moved the file to another folder, renaming it to a random phrase and extension. I googled for the file name and searched several file lists, including the one on this site, but no one can confirm whether this is a good or bad file.


In short, yes it's a randomly named bad file generated by the vundo infection. It should be removed.

Though it sounds like the situation is under control, I'd also like to suggest another scanner you can use to double check. It complements Malwarebytes nicely. Instructions for using it follow. Please note that this scan will take some time to run.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:29 AM

Posted 14 January 2010 - 11:53 AM

Moved to Am I Infected from XP. back to you Blade.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 zeisan

zeisan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 14 January 2010 - 01:35 PM

Thanks very much for your kind reception and information. I'm scanning right now with SAS and will post the results for closure.

Thank you both for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users