Random IE Popups (OI), Trojan Vundo

By Strizz75
Oct 4, 2007
Topic Status:
Not open for further replies.
  1. Hey, over the last three days or so I have been having issues similar to some of the other posts I have read on here in regards to random IE popups from OI and other things. I've run my s&d a number of times as well as adaware and used the OI uninstaller, however I am still receiving the random adware popups and have seen an increased number of viruses caught by symantec over the past several days, most of which are quaranteened, however there is one from my temp internet folder which does not get any treatment and deleting has only seen it come back (Temporary Internet Files\Content.IE5\WDQVK1AF). Anyways, here is my HGT log, any help would be greatly appreciated as this is driving me up a wall.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    I have been following the steps, however, I am unable to successfully run SmitFraudFix or Combofix on my computer, they load, then go to a blank blue screen; is there any way around this?
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Just skip those for now, and continue with the rest of the instructions.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Alright, I've followed the steps (with the exception of the aforementioned smitfraudfix and combofix) and have come back to basically the same problems. Upon rebooting in normal mode I immediately received two hits on symantec similar to the ones I had been getting before:

    Virus name: Trojan.Vundo
    File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\lkjh[1]
    Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX)
    Action taken: Clean failed : Quarantine failed : Access denied

    Virus name: Downloader
    File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\valera[2]
    Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX
    Action taken: Clean failed : Quarantine failed : Access denied


    As well as several IE popups. Attached are the HJT and AVG logs (2 txt files), also, the anti rootkit came up showing no problems...
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Delete all files in AVG Antispyware quarantine.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    These are the file paths you need to enter into Vundofix.

    C:\WINDOWS\system32\dnmvaxkc.dll
    C:\WINDOWS\system32\ibqxfryr.dll
    C:\WINDOWS\system32\yayax.dll

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Manager
    Support.com

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    tgkill.exe
    ViewMgr.exe
    ViewpointService.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

    O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\ibqxfryr.dll

    O2 - BHO: (no name) - {9C20A88F-B911-4418-B6F6-F36C2DC8265B} - C:\WINDOWS\system32\yayax.dll

    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

    O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dnmvaxkc.dll",sitypnow

    O9 - Extra button: Support - {12044E03-17DA-4489-BB02-BE1CDDC205A7} - http://www.comcastsupport.com (file missing) (HKCU)

    O9 - Extra button: ComcastHSI - {3CE0B295-D282-43EF-978C-DA7C6C6D232B} - http://www.comcast.net (file missing) (HKCU)

    O9 - Extra button: Help - {ABA3EF46-AA3D-44BC-9ABD-8B4179CEB381} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as a Combofix log.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Followed the above instructions and attached is a fresh HJT log.

    -The yayax.dll file has returned, and I received another downloader virus warning from symantec upon booting in normal mode again, not as many as before and still catching the occasional IE popup.

    Event: Virus Found!
    Virus name: Downloader
    File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX\valera[2]
    Location: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\H9STLMNX
    Action taken: Clean failed : Quarantine failed : Access denied

    Also, I am still unable to run combofix, as it is "preparing to run" I receive MS "Freeware Implementation of Reg.EXE" errors; it goes no further than that as the error messages repeat.
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Attached are the HJT and Avenger logs; I noticed in HJT the yayax.dll and proknadm.dll files have returned. I have yet to recieve any virus indications from symantec or IE popups , however, the system seems to pause every few seconds for 3-4 seconds and is slow to respond. I'm not sure if those .dll files have anything to do with that.

    Also, I received a message in the popup window upon rebooting from Avenger: "The system cannot find the file specified. Could not find C:\avenger\*.reg 1 file<s> copied.
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Looks like we might be getting somewhere.

    Please run the Avenger again, but use the avengerscript attached to this post.

    Then go HERE and try and follow the instructions for Smitfraudfix and Combofix.

    I`d also like you to follow the instructions in step11 for Panda Antirootkit and let me know the results.

    Post the c:\avenger.txt into your reply, as well as a fresh HJT log.
    Also, post a Combofix log if you can.

    Don`t forget to let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Just so I'm on the same page, the HERE link goes to steps 12 and the smitfraudfix page? Im not getting a url link for it.
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Sorry, I forgot to add the link, fixed now.

    Regards Howard :)
  13. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Attached are the HJT, combofix and avenger logs (Im not sure why but two avenger ms prompts popped on reboot, providing the same actions/notepad results). Upon running avenger this time around, I received the message "could not create zip file error code: 0".

    I was also able to successfully run smitfraudfix this time around. Also, the anti rootkit scan turned up no rootkits.

    I noticed in the HJT log the yayax.dll file has returned, and a strange .bat file.

    As far as symptoms are concerned, the computer is still pausing for 2-3 second intervals and running pretty slow; also, on reboots (aside from this past one) I am getting prompted with ms prompts that have read:

    "The system could not find the file specified. Could not find c:\avenger\*.reg 1 file<s> copied."

    "1 file<s> copied."

    "The process cannot access the file because it is being used by another process."
     
  14. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Note: For some reason my combofix log isnt attaching, although it shows it on the "delete" screen in the manage attachments section; I received the error message there "combofix.txt attachment in progress can be deleted here."
  15. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Unfortunately, I can`t see your Combofix log.

    Your HJT log is now clean, apart from one entry that needs fixing.

    O2 - BHO: (no name) - {23229E5B-96A7-4B79-A94D-9FB507FB471B} - C:\WINDOWS\system32\yayax.dll (file missing)<This is harmless and is in fact inactive.

    Click the fix checked button.

    Please try and attach a Combofix and AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  16. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Ok, here is the combofix log, sorry about that.
  17. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your Combofix log, doesn`t look complete to me.

    Run the Avenger yet again and use the script file attached to this post.

    Post the avenger log as well as a fresh Combofix log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  18. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    One other question, I am on a separate computer at the moment; currently running avg on the infected machine; so far the only infections have been tracking cookies; I have the how to act settings set to 'quarantine', however, the last time I ran avg it failed to delete most of the tracking cookies, even when I ran it and used delete as an option it didnt, is there any way around this?
  19. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    If AVG Antispyware is only finding tracking cookies, don`t worry about it. These are not actually harmful and can easily be cleaned by running Ccleaner as per step9 of these instructions.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  20. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Hmm, it seems I've run across another minor issue... I've been trying to run an avg antispyware scan, however, it gets a quarter of the way through (complete scan) and seems to stop, i tried rebooting and running again but its run into the same issue, any ideas? (The duration timer is still active, however, no files are coming up as scanned and the bar isnt moving.
  21. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, stop AVG Antispyware and do the following instead.

    Download the free Superantispyware programme. Install the programme and run the Updates.

    Run SUPERAntiSpyware and click on Preferences, click on the tab: Scanning Control, click to check-mark everything under: Scanner Options. Click "Close". Now, click on Scan your Computer.... Check-mark hard drive(s). Enable Perform Complete Scan. Click "Next." It may take a while to scan your entire computer.

    Post the Superantispyware log as well as a fresh Combofix log.

    Don`t forget to follow the avenger instructions in my post#17

    Regards Howard :)
  22. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Attached are the combofix and superantispyware logs. The system is still pausing on occasion, and while running the superantispyware overnight, symantec picked up a downloader and trojan vundo hit, but unlike othertimes was able to quarantine them this time; they are:

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Trojan.Vundo
    File: C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\CGJXKTND\lkjh[1]
    Location: Quarantine
    Action taken: Clean failed : Quarantine succeeded : Access denied
    Date found: Mon Oct 08 21:12:16 2007

    and

    A0000005.exe
    Location: C:\System Volume Information\_restore{087813BF-8144-4CA8-8B36-C202F35C6F20}\RP2\
    Virus Name: Trojan.Vundo
    Action taken: Quarantined
    Status: Inefcted
    Current Location: Quarantine

    I'm not sure if this is relevant or not, but, when I first started having these issues earlier last week I disabled my system restore.
  23. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Did you follow the instructions in my post#17?

    If so, where`s the c:\avenger.txt?

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. Strizz75

    Strizz75 Newcomer, in training Topic Starter Posts: 27

    Yep, sorry, didnt realize you wanted that log as well. Here it is.
  25. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Run the Avenger yet again and use the avenger script in this post.

    Post the c:\avenger.txt as well as fresh Combofix and HJT logs.

    Let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.