TechSpot

Very Dangerous Problem (Not previously addressed) : Trojan Vundo

By OKai
Jun 9, 2007
Topic Status:
Not open for further replies.
  1. Hello there,

    I am in a grave mood and in deep misery. My computer has been infected with Trojan Vundo for about 1 week and it started to wreak havoc on my computer about 2 days ago.

    I have tried many different ways to get rid of it. I tried Symantec's Trojan Vundo remover, the online scanner recommended by TechSpot, and many other trojan removers. I have also tried scanning and deleting it with my antivirus program.

    However each time I use such softwares to locate and destry it, my computer just reboots. The various removers will just start scanning for the first 15 or so minutes, then it just stops in the middle, and my entire computer just restarts automatically.

    Each time I login to my computer, my antivirus program keeps on saying I my computer is infected, and no matter how many times I click "delete virus" it will always pop back up instantly.

    I am frustrated and stranded as I do not know how to approach this.

    Please help me.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. OKai

    OKai TS Rookie Topic Starter Posts: 35

    I have tried the way you suggested, but I do not know why everytime I try to scan my computer using the remover programs my computer just reboots.
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Then, post a HJT log as per these instructions HERE and we`ll see what we can do.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. OKai

    OKai TS Rookie Topic Starter Posts: 35

    Sorry what is a HJT log?
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    If you click on the link I gave you, you`d find out. However, since you ask, it`s a small programme that enables us to see what`s running on your system, both good and bad. It can also helps us to stop certain processes from running.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. OKai

    OKai TS Rookie Topic Starter Posts: 35

    I have got the log from hijack this.
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above. Also, attach the c:\avenger.txt

    Also, let me know the results of the AVG Antirootkit scan.


    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

    Attached Files:

  9. OKai

    OKai TS Rookie Topic Starter Posts: 35

    When I install Avenger it says that it is a "Backdoor Agent" and my antivirus asks me what to do.

    I clicked on "Ignore", and when I extract it and click on it, the file says that it cannot be reached or accessed or maybe I do not have enough privileges...? But I am the sole and ultimate owner of my computer! Arg!

    What is the problem here?
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The Avenger is definitely not a backdoor agent, but is a programme that is used to get rid of infected files etc.

    Temporarily disable your antivirus programme and try to follow the instructions again.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. OKai

    OKai TS Rookie Topic Starter Posts: 35

    I turned my antivirus off and it worked.

    However when I loaded the script & clicked on the green button, I got many little windows saying that there are many missing files.

    However I kept on clicking and the computer just rebooted once, then a black window popped up also in there, it stated that a lot of files are "missing".

    I have attached the avengerlog?
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Whatever logfile that is, it`s definitely not the Avenger log, which will be located in c:\avenger.txt.

    See if you can attach that logfile.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. OKai

    OKai TS Rookie Topic Starter Posts: 35

    Ok here is what I get.

    Error: Line processing failed

    Pess ok to log error and continue or cancel to abort

    Error code: 0
    Line:

    E:/Program Files/浩房对站平台/Gameclient.exe

    Error: Could not create zip file

    ---

    Could the problem be an error in the avengerscript you sent me?
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Nope, no error in the Avenger script.

    Let`s try this instead.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox

    C:\WINDOWS\system32\rpcc.dll
    C:\WINDOWS\SYSTEM32\byxuvur.dll
    C:\WINDOWS\Downloaded Program Files\fcplugin.dll

    E:\Program Files\ºÆ·½¶Ôսƽ̨\GameClient.exe
    C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
    D:\QQ\SendMMS.htm

    C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
    D:\QQ\AddEmotion.htm
    D:\QQ\AddPanel.htm

    E:\Program Files\KuGoo3\KuGoo3DownX.htm
    D:\QQ\AddToNetDisk.htm
    C:\Program Files\EbayShop\EbayShop.exe

    D:\QQ\QQ.exe
    C:\DOCUME~1\max\APPLIC~1\chindate\Webthirdcoal.exe
    C:\PROGRA~1\3721\helper.dll

    C:\Program Files\eSnips\ClientGW.exe
    C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
    C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe

    C:\WINDOWS\system32\syshelper.dll
    C:\WINDOWS\DOWNLO~1\cnshook.dll
    C:\Program Files\Alexacn\Alexacn.dll

    C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL
    C:\Program Files\Yayad\AdCore.dll

    Once your system has rebooted, rehide your protected OS files.

    Follow the instructions in this thread HERE and post the requested logfiles once done.

    Regard Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. OKai

    OKai TS Rookie Topic Starter Posts: 35

    Thanks.

    I have already finished with the Pocket Killbox Programme, and I have deleted the files you have listed for me while in Safe Mode while "Show(ing) all files and folders, including hidden and system".

    When I rebooted my computer this avenger.txt popped up. I have included it just for your reference.

    At the moment my antivirus programme still reports that my computer has the Trojan Vundo.rg

    I will run the AVG Antispyware, Combofix, and HijackThis in about 12 hours time. (I live in ASIA, near Hong Kong)

    I will then provide the logs for you ASAP. Please comeback and check often I will be going to sleep now! Thanks for far! I still need your help.
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No worries. As soon as you post again with your logfiles, I`ll get an email notification that you`ve posted. ;)

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. OKai

    OKai TS Rookie Topic Starter Posts: 35

    I report grave and distressing news.

    As I have already stated, the problem with my computer is that EVERYTIME I use some sort of "anti-virus/spyware/trojan software" to try to locate and eliminate threats, MY COMPUTER JUST RESTARTS AUTOMATICALLY IN THE MIDDLE OF THE SEARCH.

    Somehow the Trojans on my computer (Trojan Vundo) senses that some program is trying to locate it, and then automatically reboots the computer, halting the search prematurely EVERYTIME!

    I have tried using the 3 tools you gave me and only VBG worked (but system rebooted while in middle of it) and the other 2 just didn't load. I have included a logfile of VBG.

    I have also used the AVG Antispyware, after searching for 3.5 hours my computer automatically rebooted itself. Perhaps the malware in my computer sensed that something is targeting them.

    I am extremely stressed.

    Please offer more advice.
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s not good.

    Let`s see if we can manually remove some of the nasties.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    GameClient.exe
    EbayShop.exe
    QQ.exe

    Webthirdcoal.exe
    ClientGW.exe
    yassistse.exe

    YLive.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: Ad Engine - {077FD0C3-1291-4104-A356-41E36B252682} - C:\Program Files\Yayad\AdCore.dll

    O2 - BHO: (no name) - {25530E69-0363-3CBD-79FA-C83FD967CD7E} - (no file)

    O2 - BHO: (no name) - {3703132A-5D9B-4BFF-8C42-3DC88EF5E2A2} - C:\WINDOWS\system32\geedc.dll (file missing)

    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL

    O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\byxuvur.dll

    O2 - BHO: (no name) - {79E69320-8637-4377-AA12-B90AEE200D50} - C:\WINDOWS\system32\jkklj.dll (file missing)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: IEHelper Class - {9583C683-1E3B-46D9-BB95-EBB0939E49D4} - C:\WINDOWS\System32\goxhelper.dll (file missing)

    O2 - BHO: (no name) - {9DB24B4F-371A-4F3D-B189-B2E7C918C80B} - C:\WINDOWS\system32\geebb.dll (file missing)

    O2 - BHO: Alexacn.xLeft - {B437B7E2-B769-4F90-A2AD-FF5520637977} - C:\Program Files\Alexacn\Alexacn.dll

    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll

    O2 - BHO: Csyshelper Object - {E16BB625-16F1-4338-AA38-098F6873AC24} - C:\WINDOWS\system32\syshelper.dll

    O3 - Toolbar: (no name) - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - (no file)

    O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe

    O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"

    O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe"

    O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

    O4 - HKCU\..\Run: [Media Drv] C:\DOCUME~1\max\APPLIC~1\chindate\Webthirdcoal.exe

    O4 - Startup: ÌÚѶQQ.lnk = D:\QQ\QQ.exe

    O4 - Global Startup: eBayÒ×Ȥ--È«ÇòÉÌÆ·Ò»Íø´ò¾¡.lnk = C:\Program Files\EbayShop\EbayShop.exe

    O8 - Extra context menu item: &Search - http://kw.bar.need2find.com/KW/menusearch.html?p=KW

    O8 - Extra context menu item: ÉÏ´«µ½QQÍøÂçÓ²ÅÌ - D:\QQ\AddToNetDisk.htm

    O8 - Extra context menu item: ʹÓÃKuGoo3ÏÂÔØ(&K) - E:\Program Files\KuGoo3\KuGoo3DownX.htm

    O8 - Extra context menu item: ÊղشËÒ³µ½ÐÂÀËViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt

    O8 - Extra context menu item: ÐÂÀËËÑË÷ - http://cha.sina.com.cn/ddt.html

    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - D:\QQ\AddPanel.htm

    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - D:\QQ\AddEmotion.htm

    O8 - Extra context menu item: Ìí¼Óµ½ÑÅ»¢¶©ÔÄ(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT

    8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - D:\QQ\SendMMS.htm

    O8 - Extra context menu item: ÑÅ»¢ËÑË÷ - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246

    O9 - Extra button: FirstClass? - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll

    O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

    O9 - Extra button: ºÆ·½¶Ôսƽ̨ - {0A155D3C-68E2-4215-A47A-E800A446447A} - E:\Program Files\ºÆ·½¶Ôսƽ̨\GameClient.exe

    O9 - Extra button: Yahoo 3.5GµçÓÊ - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

    O9 - Extra button: ÃûÆ·ÕÛ¿Û - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

    O9 - Extra button: ÑÅ»¢ÖúÊÖ - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

    O9 - Extra button: ÑÅ»¢WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

    O9 - Extra button: Çé¾°ÁÄÌì - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

    O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra 'Tools' menuitem: ÐÞ¸´ä¯ÀÀÆ÷ - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    O9 - Extra 'Tools' menuitem: ÇåÀíÉÏÍø¼Ç¼ - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    O11 - Options group: [!CNS] ÖÐÎÄÉÏÍø

    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c415.cab

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

    O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab

    O16 - DPF: {98A62E3F-A8C5-4EF0-8A00-C70CF9D18A89} (LoaderCore Class) - http://tb.sogou.com/DLLoader.cab

    O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass?Control) - http://ramsnet.aisgz.edu.cn/ClientDownloads/fcplugin.cab

    O16 - DPF: {AC3A36A8-9BFF-410A-A33D-2279FFEB69D2} (Qzone Media Tools) - http://qqmusic.qq.com/QQPlayer.cab

    O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll

    O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX (file missing)

    O18 - Filter hijack: text/html - (no CLSID) - (no file)

    O20 - Winlogon Notify: byxuvur - C:\WINDOWS\SYSTEM32\byxuvur.dll

    O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll (file missing)

    O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)

    O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll (file missing)

    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

    O22 - SharedTaskScheduler: Browseui Ô¤¼ÓÔسÌÐò - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

    O22 - SharedTaskScheduler: ×é¼þÀà±ð»º´æ³ÌÐò - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

    O24 - Desktop Component 0: (no name) - http://ic1.deviantart.com/fs7/f/2005/248/8/3/collage_00120.jpg

    O24 - Desktop Component 1: (no name) - http://ic1.deviantart.com/fs7/i/2005/245/4/2/Lex_Speaks___Wallpaper_by_MiniCow.j pg

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\rpcc.dll
    C:\WINDOWS\SYSTEM32\byxuvur.dll
    C:\WINDOWS\Downloaded Program Files\fcplugin.dll

    E:\Program Files\ºÆ·½¶Ôսƽ̨\GameClient.exe
    C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
    D:\QQ\SendMMS.htm

    C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
    D:\QQ\AddEmotion.htm
    D:\QQ\AddPanel.htm

    E:\Program Files\KuGoo3\KuGoo3DownX.htm
    D:\QQ\AddToNetDisk.htm
    C:\Program Files\EbayShop\EbayShop.exe

    D:\QQ\QQ.exe
    C:\DOCUME~1\max\APPLIC~1\chindate\Webthirdcoal.exe
    C:\PROGRA~1\3721\helper.dll

    C:\Program Files\eSnips\ClientGW.exe
    C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
    C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe

    C:\WINDOWS\system32\syshelper.dll
    C:\WINDOWS\DOWNLO~1\cnshook.dll
    C:\Program Files\Alexacn\Alexacn.dll

    C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL
    C:\Program Files\Yayad\AdCore.dll

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. OKai

    OKai TS Rookie Topic Starter Posts: 35

    I have deleted the files you advised in the HJT scan during safe mode.

    I have also used the Pocket Killbox to make sure those files are gone.

    I attached a fresh HJT logfile as an attachment.

    What should I do now?

    Should I go on with th AVG Antispyware scan? Or should I "test" my computer using the VBG first, to check whether the computer still has the problem of rebooting during the middle of an "anti-trojan" search.

    Coz the AVG takes hours and hours to finish.
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    A lot of the nasties that were on your system have now gone. However, you`re not out of the woods yet and it`s very important that you follow the instructions below exactly. I`m sorry that the AVG Antispyware scan takes so long, but it is important that I see an AVG Antispyware log.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Then do the following.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing)

    O2 - BHO: (no name) - {7AD0A7B3-2A8D-4456-9C59-27734A98DD63} - C:\WINDOWS\system32\ddayv.dll (file missing)

    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll (file missing)

    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\eftwyifm.dll (file missing)

    O3 - Toolbar: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing)

    O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\qflpbegx.dll",realset

    O9 - Extra button: Yahoo 3.5GµçÓÊ - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

    O9 - Extra button: ÃûÆ·ÕÛ¿Û - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

    O9 - Extra button: ÑÅ»¢ÖúÊÖ - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

    O9 - Extra button: ÑÅ»¢WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\QQ\QQ.EXE (file missing)

    O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\QQ\QQ.EXE (file missing)

    O9 - Extra button: Çé¾°ÁÄÌì - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

    O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra 'Tools' menuitem: ÐÞ¸´ä¯ÀÀÆ÷ - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    O9 - Extra 'Tools' menuitem: ÇåÀíÉÏÍø¼Ç¼ - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    O18 - Protocol: ipp - (no CLSID) - (no file)

    O18 - Protocol: msdaipp - (no CLSID) - (no file)

    O18 - Filter hijack: text/html - (no CLSID) - (no file)

    O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)

    Click on the fix checked button.

    Close HJT and reboot your system.

    Please attach the c:\avenger.txt as well as AVG Antispyware, Combofix and a fresh HJT log into your next reply.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  21. OKai

    OKai TS Rookie Topic Starter Posts: 35

    Ummm the avenger didn't seem to work for me last time when you asked me to use it, shall I use it again?
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Yes, try it again, but delete the one you currently have and redownload it.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  23. OKai

    OKai TS Rookie Topic Starter Posts: 35

    Sadly the Avenger still did not work. I have attached a logfile stating why. The logfile showed that some parts are missing.

    Please advice.
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The Avenger worked perfectly that time and the nasty file has been deleted.

    Now, follow the rest of the instructions I gave you and post the requested logfiles.

    Regards Howard :)

    This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. OKai

    OKai TS Rookie Topic Starter Posts: 35

    Done with the very first step of deleting files with HJT.

    Although I do not seem to find these: (I did not run this HJT in safe mode)


    O18 - Protocol: ipp - (no CLSID) - (no file)

    O18 - Protocol: msdaipp - (no CLSID) - (no file)

    Should I continue with the procedures and ignore this?

    Please advice.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.