Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ifvbul.exe & Yomfu.exe


  • This topic is locked This topic is locked
7 replies to this topic

#1 dienecho

dienecho

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 July 2006 - 11:45 AM

Recovering from huge spyware infection. (My first ever after 10 years ;-)

I have removed about 200 spyware files/toolbars, etc. (through Lavasoft Adware) - including the SSK.EXE spyware infection, etc. However, these last 2 will not go away: YOMFU.EXE and IFVBUL.EXE

I've run HiJackThis and tried to find the listed files, but they do not exist in the place they're listed (i.e. c:/windows/system32....) IFVBUL is listed in my startup list in SysConfi-Startup, but doesn't list as a process. Also "BNICB" is listed in my "Common Startup" location in SysConfi-Startup but I don't see it either.

Here is my HiJackThis Log:

-----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:37:47 PM, on 28/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yomfu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jktifrf.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -

http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner -

C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

---------------------------------------------------------

Thanks for any help!

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:07 PM

Posted 28 July 2006 - 02:47 PM

Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 dienecho

dienecho
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 July 2006 - 03:12 PM

Hey! Thanks so much! This is the logfile. I had to do it twice, 'cause something crashed when it rebooted the first time, so there are 2 log postings - the second one's clean though.....

Whatever I can do for donations will be forthcoming. Thanks again!

-------------------------------------------------------------------------

ix v1.02 by http://www.malwarebytes.org
Scan started on [28/07/2006] at [3:59:11 PM]
-------------------------------------------------------------
Terminated module: omvbltq.dll found in Qoofix.exe (2700)
Terminated module: omvbltq.dll found in explorer.exe (1296)
Terminated module: omvbltq.dll found in yomfu.exe (1320)
Terminated module: omvbltq.dll found in ifvbul.exe (1404)
Terminated module: omvbltq.dll found in yomfu.exe (1412)
Terminated module: omvbltq.dll found in yomfu.exe (1420)
Terminated module: omvbltq.dll found in DeltTray.exe (352)
Terminated module: omvbltq.dll found in cledx.exe (372)
Terminated module: omvbltq.dll found in rundll32.exe (1892)
Terminated module: omvbltq.dll found in notepad.exe (3236)
-------------------------------------------------------------
C:\WINDOWS\System32\ifvbul.exe will be deleted on reboot!
C:\WINDOWS\System32\jktifrf.exe will be deleted on reboot!
C:\WINDOWS\System32\ndkeg.dat will be deleted on reboot!
C:\WINDOWS\System32\omvbltq.dll will be deleted on reboot!
C:\WINDOWS\System32\yomfu.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bnicb.exe will be deleted on reboot!
C:\WINDOWS\unwn.exe will be deleted on reboot!
C:\WINDOWS\System32\dmonwv.dll will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [28/07/2006] at [4:00:05 PM]

Note: Some registry keys may have been removed.


Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [28/07/2006] at [4:02:31 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [28/07/2006] at [4:03:10 PM]

Note: Some registry keys may have been removed.

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:07 PM

Posted 28 July 2006 - 03:20 PM

OK, good. Could you post a new HJT log now.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 dienecho

dienecho
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 July 2006 - 03:28 PM

hey, here is the HiJack file. I also ran Ad-Aware just before this. It found 21 "Critical Objects" (files, not processes this time) that I couldn't remove before. But it removed them no problem this time....

-----------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:23:09 PM, on 28/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Michael McCann\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:07 PM

Posted 28 July 2006 - 03:41 PM

Your log is OK now - how is it running?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 dienecho

dienecho
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 July 2006 - 03:49 PM

Everything is running perfectly. I guess my 'never getting a virus or spyware attack' luck ran out today. ;-)
I've never pulled the plug on my internet, external drives and power so fast as when 100 windows popped up on my computer in about 10 seconds saying "INSTALLING CASINO....." Haha.

I'll definitely install some of your suggested security software you've mentioned on other posts.

Thanks for your help!

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:07 PM

Posted 28 July 2006 - 04:06 PM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users