Hey, over the last three days or so I have been having issues similar to some of the other posts I have read on here in regards to random IE popups from OI and other things. I've run my s&d a number of times as well as adaware and used the OI uninstaller, however I am still receiving the random adware popups and have seen an increased number of viruses caught by symantec over the past several days, most of which are quaranteened, however there is one from my temp internet folder which does not get any treatment and deleting has only seen it come back (Temporary Internet Files\Content.IE5\WDQVK1AF). Anyways, here is my HGT log, any help would be greatly appreciated as this is driving me up a wall.
Random IE Popups (OI), Trojan Vundo
- Thread starter Strizz75
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Just skip those for now, and continue with the rest of the instructions.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Alright, I've followed the steps (with the exception of the aforementioned smitfraudfix and combofix) and have come back to basically the same problems. Upon rebooting in normal mode I immediately received two hits on symantec similar to the ones I had been getting before:
Virus name: Trojan.Vundo
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\lkjh[1]
Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX)
Action taken: Clean failed : Quarantine failed : Access denied
Virus name: Downloader
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\valera[2]
Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX
Action taken: Clean failed : Quarantine failed : Access denied
As well as several IE popups. Attached are the HJT and AVG logs (2 txt files), also, the anti rootkit came up showing no problems...
Virus name: Trojan.Vundo
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\lkjh[1]
Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX)
Action taken: Clean failed : Quarantine failed : Access denied
Virus name: Downloader
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\valera[2]
Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX
Action taken: Clean failed : Quarantine failed : Access denied
As well as several IE popups. Attached are the HJT and AVG logs (2 txt files), also, the anti rootkit came up showing no problems...
howard_hopkinso
Posts: 21,238 +17
Delete all files in AVG Antispyware quarantine.
Download Vundofix from HERE.
Double click the Vundofix.exe to run it.
Right click in the vundofix window and click add files.
Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.
These are the file paths you need to enter into Vundofix.
C:\WINDOWS\system32\dnmvaxkc.dll
C:\WINDOWS\system32\ibqxfryr.dll
C:\WINDOWS\system32\yayax.dll
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
Viewpoint
Viewpoint Manager
Support.com
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Viewpoint Manager Service
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
tgkill.exe
ViewMgr.exe
ViewpointService.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\ibqxfryr.dll
O2 - BHO: (no name) - {9C20A88F-B911-4418-B6F6-F36C2DC8265B} - C:\WINDOWS\system32\yayax.dll
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dnmvaxkc.dll",sitypnow
O9 - Extra button: Support - {12044E03-17DA-4489-BB02-BE1CDDC205A7} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {3CE0B295-D282-43EF-978C-DA7C6C6D232B} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {ABA3EF46-AA3D-44BC-9ABD-8B4179CEB381} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\Viewpoint
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log as well as a Combofix log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Download Vundofix from HERE.
Double click the Vundofix.exe to run it.
Right click in the vundofix window and click add files.
Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.
These are the file paths you need to enter into Vundofix.
C:\WINDOWS\system32\dnmvaxkc.dll
C:\WINDOWS\system32\ibqxfryr.dll
C:\WINDOWS\system32\yayax.dll
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
Viewpoint
Viewpoint Manager
Support.com
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Viewpoint Manager Service
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
tgkill.exe
ViewMgr.exe
ViewpointService.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\ibqxfryr.dll
O2 - BHO: (no name) - {9C20A88F-B911-4418-B6F6-F36C2DC8265B} - C:\WINDOWS\system32\yayax.dll
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dnmvaxkc.dll",sitypnow
O9 - Extra button: Support - {12044E03-17DA-4489-BB02-BE1CDDC205A7} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {3CE0B295-D282-43EF-978C-DA7C6C6D232B} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {ABA3EF46-AA3D-44BC-9ABD-8B4179CEB381} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\Viewpoint
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log as well as a Combofix log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Followed the above instructions and attached is a fresh HJT log.
-The yayax.dll file has returned, and I received another downloader virus warning from symantec upon booting in normal mode again, not as many as before and still catching the occasional IE popup.
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\valera[2]
Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX
Action taken: Clean failed : Quarantine failed : Access denied
Also, I am still unable to run combofix, as it is "preparing to run" I receive MS "Freeware Implementation of Reg.EXE" errors; it goes no further than that as the error messages repeat.
-The yayax.dll file has returned, and I received another downloader virus warning from symantec upon booting in normal mode again, not as many as before and still catching the occasional IE popup.
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\valera[2]
Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX
Action taken: Clean failed : Quarantine failed : Access denied
Also, I am still unable to run combofix, as it is "preparing to run" I receive MS "Freeware Implementation of Reg.EXE" errors; it goes no further than that as the error messages repeat.
howard_hopkinso
Posts: 21,238 +17
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Attached are the HJT and Avenger logs; I noticed in HJT the yayax.dll and proknadm.dll files have returned. I have yet to recieve any virus indications from symantec or IE popups , however, the system seems to pause every few seconds for 3-4 seconds and is slow to respond. I'm not sure if those .dll files have anything to do with that.
Also, I received a message in the popup window upon rebooting from Avenger: "The system cannot find the file specified. Could not find C:\avenger\*.reg 1 file<s> copied.
Also, I received a message in the popup window upon rebooting from Avenger: "The system cannot find the file specified. Could not find C:\avenger\*.reg 1 file<s> copied.
howard_hopkinso
Posts: 21,238 +17
Looks like we might be getting somewhere.
Please run the Avenger again, but use the avengerscript attached to this post.
Then go HERE and try and follow the instructions for Smitfraudfix and Combofix.
I`d also like you to follow the instructions in step11 for Panda Antirootkit and let me know the results.
Post the c:\avenger.txt into your reply, as well as a fresh HJT log.
Also, post a Combofix log if you can.
Don`t forget to let me know the results of the Panda Antirootkit scan.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Please run the Avenger again, but use the avengerscript attached to this post.
Then go HERE and try and follow the instructions for Smitfraudfix and Combofix.
I`d also like you to follow the instructions in step11 for Panda Antirootkit and let me know the results.
Post the c:\avenger.txt into your reply, as well as a fresh HJT log.
Also, post a Combofix log if you can.
Don`t forget to let me know the results of the Panda Antirootkit scan.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Sorry, I forgot to add the link, fixed now.
Regards Howard
Regards Howard
Attached are the HJT, combofix and avenger logs (Im not sure why but two avenger ms prompts popped on reboot, providing the same actions/notepad results). Upon running avenger this time around, I received the message "could not create zip file error code: 0".
I was also able to successfully run smitfraudfix this time around. Also, the anti rootkit scan turned up no rootkits.
I noticed in the HJT log the yayax.dll file has returned, and a strange .bat file.
As far as symptoms are concerned, the computer is still pausing for 2-3 second intervals and running pretty slow; also, on reboots (aside from this past one) I am getting prompted with ms prompts that have read:
"The system could not find the file specified. Could not find c:\avenger\*.reg 1 file<s> copied."
"1 file<s> copied."
"The process cannot access the file because it is being used by another process."
I was also able to successfully run smitfraudfix this time around. Also, the anti rootkit scan turned up no rootkits.
I noticed in the HJT log the yayax.dll file has returned, and a strange .bat file.
As far as symptoms are concerned, the computer is still pausing for 2-3 second intervals and running pretty slow; also, on reboots (aside from this past one) I am getting prompted with ms prompts that have read:
"The system could not find the file specified. Could not find c:\avenger\*.reg 1 file<s> copied."
"1 file<s> copied."
"The process cannot access the file because it is being used by another process."
howard_hopkinso
Posts: 21,238 +17
Unfortunately, I can`t see your Combofix log.
Your HJT log is now clean, apart from one entry that needs fixing.
O2 - BHO: (no name) - {23229E5B-96A7-4B79-A94D-9FB507FB471B} - C:\WINDOWS\system32\yayax.dll (file missing)<This is harmless and is in fact inactive.
Click the fix checked button.
Please try and attach a Combofix and AVG Antispyware log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your HJT log is now clean, apart from one entry that needs fixing.
O2 - BHO: (no name) - {23229E5B-96A7-4B79-A94D-9FB507FB471B} - C:\WINDOWS\system32\yayax.dll (file missing)<This is harmless and is in fact inactive.
Click the fix checked button.
Please try and attach a Combofix and AVG Antispyware log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Your Combofix log, doesn`t look complete to me.
Run the Avenger yet again and use the script file attached to this post.
Post the avenger log as well as a fresh Combofix log and let me know if you`re still having problems.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Run the Avenger yet again and use the script file attached to this post.
Post the avenger log as well as a fresh Combofix log and let me know if you`re still having problems.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
One other question, I am on a separate computer at the moment; currently running avg on the infected machine; so far the only infections have been tracking cookies; I have the how to act settings set to 'quarantine', however, the last time I ran avg it failed to delete most of the tracking cookies, even when I ran it and used delete as an option it didnt, is there any way around this?
howard_hopkinso
Posts: 21,238 +17
If AVG Antispyware is only finding tracking cookies, don`t worry about it. These are not actually harmful and can easily be cleaned by running Ccleaner as per step9 of these instructions.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hmm, it seems I've run across another minor issue... I've been trying to run an avg antispyware scan, however, it gets a quarter of the way through (complete scan) and seems to stop, i tried rebooting and running again but its run into the same issue, any ideas? (The duration timer is still active, however, no files are coming up as scanned and the bar isnt moving.
howard_hopkinso
Posts: 21,238 +17
Ok, stop AVG Antispyware and do the following instead.
Download the free Superantispyware programme. Install the programme and run the Updates.
Run SUPERAntiSpyware and click on Preferences, click on the tab: Scanning Control, click to check-mark everything under: Scanner Options. Click "Close". Now, click on Scan your Computer.... Check-mark hard drive(s). Enable Perform Complete Scan. Click "Next." It may take a while to scan your entire computer.
Post the Superantispyware log as well as a fresh Combofix log.
Don`t forget to follow the avenger instructions in my post#17
Regards Howard
Download the free Superantispyware programme. Install the programme and run the Updates.
Run SUPERAntiSpyware and click on Preferences, click on the tab: Scanning Control, click to check-mark everything under: Scanner Options. Click "Close". Now, click on Scan your Computer.... Check-mark hard drive(s). Enable Perform Complete Scan. Click "Next." It may take a while to scan your entire computer.
Post the Superantispyware log as well as a fresh Combofix log.
Don`t forget to follow the avenger instructions in my post#17
Regards Howard
Attached are the combofix and superantispyware logs. The system is still pausing on occasion, and while running the superantispyware overnight, symantec picked up a downloader and trojan vundo hit, but unlike othertimes was able to quarantine them this time; they are:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\CGJXKTND\lkjh[1]
Location: Quarantine
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Mon Oct 08 21:12:16 2007
and
A0000005.exe
Location: C:\System Volume Information\_restore{087813BF-8144-4CA8-8B36-C202F35C6F20}\RP2\
Virus Name: Trojan.Vundo
Action taken: Quarantined
Status: Inefcted
Current Location: Quarantine
I'm not sure if this is relevant or not, but, when I first started having these issues earlier last week I disabled my system restore.
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\CGJXKTND\lkjh[1]
Location: Quarantine
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Mon Oct 08 21:12:16 2007
and
A0000005.exe
Location: C:\System Volume Information\_restore{087813BF-8144-4CA8-8B36-C202F35C6F20}\RP2\
Virus Name: Trojan.Vundo
Action taken: Quarantined
Status: Inefcted
Current Location: Quarantine
I'm not sure if this is relevant or not, but, when I first started having these issues earlier last week I disabled my system restore.
howard_hopkinso
Posts: 21,238 +17
howard_hopkinso said:
Did you follow the instructions in my post#17?
If so, where`s the c:\avenger.txt?
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Run the Avenger yet again and use the avenger script in this post.
Post the c:\avenger.txt as well as fresh Combofix and HJT logs.
Let me know how your system is running.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Post the c:\avenger.txt as well as fresh Combofix and HJT logs.
Let me know how your system is running.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
Latest posts
-
Researchers have unlocked the "Holy Grail" of memory technology- DanteSmith replied