Very Dangerous Problem (Not previously addressed) : Trojan Vundo

[OKai]

Hello there,

I am in a grave mood and in deep misery. My computer has been infected with Trojan Vundo for about 1 week and it started to wreak havoc on my computer about 2 days ago.

I have tried many different ways to get rid of it. I tried Symantec's Trojan Vundo remover, the online scanner recommended by TechSpot, and many other trojan removers. I have also tried scanning and deleting it with my antivirus program.

However each time I use such softwares to locate and destry it, my computer just reboots. The various removers will just start scanning for the first 15 or so minutes, then it just stops in the middle, and my entire computer just restarts automatically.

Each time I login to my computer, my antivirus program keeps on saying I my computer is infected, and no matter how many times I click "delete virus" it will always pop back up instantly.

I am frustrated and stranded as I do not know how to approach this.

Please help me.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

I have tried the way you suggested, but I do not know why everytime I try to scan my computer using the remover programs my computer just reboots.

 

[howard_hopkinso]

Then, post a HJT log as per these instructions HERE and we`ll see what we can do.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Sorry what is a HJT log?

 

[howard_hopkinso]

If you click on the link I gave you, you`d find out. However, since you ask, it`s a small programme that enables us to see what`s running on your system, both good and bad. It can also helps us to stop certain processes from running.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

I have got the log from hijack this.

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above. Also, attach the c:\avenger.txt

Also, let me know the results of the AVG Antirootkit scan.


Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

When I install Avenger it says that it is a "Backdoor Agent" and my antivirus asks me what to do.

I clicked on "Ignore", and when I extract it and click on it, the file says that it cannot be reached or accessed or maybe I do not have enough privileges...? But I am the sole and ultimate owner of my computer! Arg!

What is the problem here?

 

[howard_hopkinso]

The Avenger is definitely not a backdoor agent, but is a programme that is used to get rid of infected files etc.

Temporarily disable your antivirus programme and try to follow the instructions again.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

I turned my antivirus off and it worked.

However when I loaded the script & clicked on the green button, I got many little windows saying that there are many missing files.

However I kept on clicking and the computer just rebooted once, then a black window popped up also in there, it stated that a lot of files are "missing".

I have attached the avengerlog?

 

[howard_hopkinso]

Whatever logfile that is, it`s definitely not the Avenger log, which will be located in c:\avenger.txt.

See if you can attach that logfile.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Ok here is what I get.

Error: Line processing failed

Pess ok to log error and continue or cancel to abort

Error code: 0
Line:

E:/Program Files/浩房对站平台/Gameclient.exe

Error: Could not create zip file

---

Could the problem be an error in the avengerscript you sent me?

 

[howard_hopkinso]

Nope, no error in the Avenger script.

Let`s try this instead.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox

C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\SYSTEM32\byxuvur.dll
C:\WINDOWS\Downloaded Program Files\fcplugin.dll

E:\Program Files\ºÆ·½¶Ôսƽ̨\GameClient.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
D:\QQ\SendMMS.htm

C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
D:\QQ\AddEmotion.htm
D:\QQ\AddPanel.htm

E:\Program Files\KuGoo3\KuGoo3DownX.htm
D:\QQ\AddToNetDisk.htm
C:\Program Files\EbayShop\EbayShop.exe

D:\QQ\QQ.exe
C:\DOCUME~1\max\APPLIC~1\chindate\Webthirdcoal.exe
C:\PROGRA~1\3721\helper.dll

C:\Program Files\eSnips\ClientGW.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe

C:\WINDOWS\system32\syshelper.dll
C:\WINDOWS\DOWNLO~1\cnshook.dll
C:\Program Files\Alexacn\Alexacn.dll

C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL
C:\Program Files\Yayad\AdCore.dll

Once your system has rebooted, rehide your protected OS files.

Follow the instructions in this thread HERE and post the requested logfiles once done.

Regard Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Thanks.

I have already finished with the Pocket Killbox Programme, and I have deleted the files you have listed for me while in Safe Mode while "Show(ing) all files and folders, including hidden and system".

When I rebooted my computer this avenger.txt popped up. I have included it just for your reference.

At the moment my antivirus programme still reports that my computer has the Trojan Vundo.rg

I will run the AVG Antispyware, Combofix, and HijackThis in about 12 hours time. (I live in ASIA, near Hong Kong)

I will then provide the logs for you ASAP. Please comeback and check often I will be going to sleep now! Thanks for far! I still need your help.

 

[howard_hopkinso]

No worries. As soon as you post again with your logfiles, I`ll get an email notification that you`ve posted.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

I report grave and distressing news.

As I have already stated, the problem with my computer is that EVERYTIME I use some sort of "anti-virus/spyware/trojan software" to try to locate and eliminate threats, MY COMPUTER JUST RESTARTS AUTOMATICALLY IN THE MIDDLE OF THE SEARCH.

Somehow the Trojans on my computer (Trojan Vundo) senses that some program is trying to locate it, and then automatically reboots the computer, halting the search prematurely EVERYTIME!

I have tried using the 3 tools you gave me and only VBG worked (but system rebooted while in middle of it) and the other 2 just didn't load. I have included a logfile of VBG.

I have also used the AVG Antispyware, after searching for 3.5 hours my computer automatically rebooted itself. Perhaps the malware in my computer sensed that something is targeting them.

I am extremely stressed.

Please offer more advice.

 

[howard_hopkinso]

That`s not good.

Let`s see if we can manually remove some of the nasties.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

GameClient.exe
EbayShop.exe
QQ.exe

Webthirdcoal.exe
ClientGW.exe
yassistse.exe

YLive.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: Ad Engine - {077FD0C3-1291-4104-A356-41E36B252682} - C:\Program Files\Yayad\AdCore.dll

O2 - BHO: (no name) - {25530E69-0363-3CBD-79FA-C83FD967CD7E} - (no file)

O2 - BHO: (no name) - {3703132A-5D9B-4BFF-8C42-3DC88EF5E2A2} - C:\WINDOWS\system32\geedc.dll (file missing)

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL

O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\byxuvur.dll

O2 - BHO: (no name) - {79E69320-8637-4377-AA12-B90AEE200D50} - C:\WINDOWS\system32\jkklj.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: IEHelper Class - {9583C683-1E3B-46D9-BB95-EBB0939E49D4} - C:\WINDOWS\System32\goxhelper.dll (file missing)

O2 - BHO: (no name) - {9DB24B4F-371A-4F3D-B189-B2E7C918C80B} - C:\WINDOWS\system32\geebb.dll (file missing)

O2 - BHO: Alexacn.xLeft - {B437B7E2-B769-4F90-A2AD-FF5520637977} - C:\Program Files\Alexacn\Alexacn.dll

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll

O2 - BHO: Csyshelper Object - {E16BB625-16F1-4338-AA38-098F6873AC24} - C:\WINDOWS\system32\syshelper.dll

O3 - Toolbar: (no name) - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - (no file)

O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe

O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"

O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe"

O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

O4 - HKCU\..\Run: [Media Drv] C:\DOCUME~1\max\APPLIC~1\chindate\Webthirdcoal.exe

O4 - Startup: ÌÚѶQQ.lnk = D:\QQ\QQ.exe

O4 - Global Startup: eBayÒ×Ȥ--È«ÇòÉÌÆ·Ò»Íø´ò¾¡.lnk = C:\Program Files\EbayShop\EbayShop.exe

O8 - Extra context menu item: &Search - http://kw.bar.need2find.com/KW/menusearch.html?p=KW

O8 - Extra context menu item: ÉÏ´«µ½QQÍøÂçÓ²ÅÌ - D:\QQ\AddToNetDisk.htm

O8 - Extra context menu item: ʹÓÃKuGoo3ÏÂÔØ(&K) - E:\Program Files\KuGoo3\KuGoo3DownX.htm

O8 - Extra context menu item: ÊղشËÒ³µ½ÐÂÀËViVi - http://vivi.sina.com.cn/collect/click.php?agent=ddt

O8 - Extra context menu item: ÐÂÀËËÑË÷ - http://cha.sina.com.cn/ddt.html

O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - D:\QQ\AddPanel.htm

O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - D:\QQ\AddEmotion.htm

O8 - Extra context menu item: Ìí¼Óµ½ÑÅ»¢¶©ÔÄ(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT

8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - D:\QQ\SendMMS.htm

O8 - Extra context menu item: ÑÅ»¢ËÑË÷ - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246

O9 - Extra button: FirstClass? - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll

O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

O9 - Extra button: ºÆ·½¶Ôսƽ̨ - {0A155D3C-68E2-4215-A47A-E800A446447A} - E:\Program Files\ºÆ·½¶Ôսƽ̨\GameClient.exe

O9 - Extra button: Yahoo 3.5GµçÓÊ - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

O9 - Extra button: ÃûÆ·ÕÛ¿Û - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

O9 - Extra button: ÑÅ»¢ÖúÊÖ - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

O9 - Extra button: ÑÅ»¢WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

O9 - Extra button: Çé¾°ÁÄÌì - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra 'Tools' menuitem: ÐÞ¸´ä¯ÀÀÆ÷ - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O9 - Extra 'Tools' menuitem: ÇåÀíÉÏÍø¼Ç¼ - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O11 - Options group: [!CNS] ÖÐÎÄÉÏÍø

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c415.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab

O16 - DPF: {98A62E3F-A8C5-4EF0-8A00-C70CF9D18A89} (LoaderCore Class) - http://tb.sogou.com/DLLoader.cab

O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass?Control) - http://ramsnet.aisgz.edu.cn/ClientDownloads/fcplugin.cab

O16 - DPF: {AC3A36A8-9BFF-410A-A33D-2279FFEB69D2} (Qzone Media Tools) - http://qqmusic.qq.com/QQPlayer.cab

O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll

O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX (file missing)

O18 - Filter hijack: text/html - (no CLSID) - (no file)

O20 - Winlogon Notify: byxuvur - C:\WINDOWS\SYSTEM32\byxuvur.dll

O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll (file missing)

O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)

O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

O22 - SharedTaskScheduler: Browseui Ô¤¼ÓÔسÌÐò - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: ×é¼þÀà±ð»º´æ³ÌÐò - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O24 - Desktop Component 0: (no name) - http://ic1.deviantart.com/fs7/f/2005/248/8/3/collage_00120.jpg

O24 - Desktop Component 1: (no name) - http://ic1.deviantart.com/fs7/i/2005/245/4/2/Lex_Speaks___Wallpaper_by_MiniCow.j pg

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\SYSTEM32\byxuvur.dll
C:\WINDOWS\Downloaded Program Files\fcplugin.dll

E:\Program Files\ºÆ·½¶Ôսƽ̨\GameClient.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
D:\QQ\SendMMS.htm

C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
D:\QQ\AddEmotion.htm
D:\QQ\AddPanel.htm

E:\Program Files\KuGoo3\KuGoo3DownX.htm
D:\QQ\AddToNetDisk.htm
C:\Program Files\EbayShop\EbayShop.exe

D:\QQ\QQ.exe
C:\DOCUME~1\max\APPLIC~1\chindate\Webthirdcoal.exe
C:\PROGRA~1\3721\helper.dll

C:\Program Files\eSnips\ClientGW.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe

C:\WINDOWS\system32\syshelper.dll
C:\WINDOWS\DOWNLO~1\cnshook.dll
C:\Program Files\Alexacn\Alexacn.dll

C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL
C:\Program Files\Yayad\AdCore.dll

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

I have deleted the files you advised in the HJT scan during safe mode.

I have also used the Pocket Killbox to make sure those files are gone.

I attached a fresh HJT logfile as an attachment.

What should I do now?

Should I go on with th AVG Antispyware scan? Or should I "test" my computer using the VBG first, to check whether the computer still has the problem of rebooting during the middle of an "anti-trojan" search.

Coz the AVG takes hours and hours to finish.

 

[howard_hopkinso]

A lot of the nasties that were on your system have now gone. However, you`re not out of the woods yet and it`s very important that you follow the instructions below exactly. I`m sorry that the AVG Antispyware scan takes so long, but it is important that I see an AVG Antispyware log.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Then do the following.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing)

O2 - BHO: (no name) - {7AD0A7B3-2A8D-4456-9C59-27734A98DD63} - C:\WINDOWS\system32\ddayv.dll (file missing)

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll (file missing)

O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\eftwyifm.dll (file missing)

O3 - Toolbar: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll (file missing)

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\qflpbegx.dll",realset

O9 - Extra button: Yahoo 3.5GµçÓÊ - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

O9 - Extra button: ÃûÆ·ÕÛ¿Û - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

O9 - Extra button: ÑÅ»¢ÖúÊÖ - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

O9 - Extra button: ÑÅ»¢WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\QQ\QQ.EXE (file missing)

O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\QQ\QQ.EXE (file missing)

O9 - Extra button: Çé¾°ÁÄÌì - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra 'Tools' menuitem: ÐÞ¸´ä¯ÀÀÆ÷ - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O9 - Extra 'Tools' menuitem: ÇåÀíÉÏÍø¼Ç¼ - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O18 - Protocol: ipp - (no CLSID) - (no file)

O18 - Protocol: msdaipp - (no CLSID) - (no file)

O18 - Filter hijack: text/html - (no CLSID) - (no file)

O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)

Click on the fix checked button.

Close HJT and reboot your system.

Please attach the c:\avenger.txt as well as AVG Antispyware, Combofix and a fresh HJT log into your next reply.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Ummm the avenger didn't seem to work for me last time when you asked me to use it, shall I use it again?

 

[howard_hopkinso]

Yes, try it again, but delete the one you currently have and redownload it.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Sadly the Avenger still did not work. I have attached a logfile stating why. The logfile showed that some parts are missing.

Please advice.

 

[howard_hopkinso]

The Avenger worked perfectly that time and the nasty file has been deleted.

File C:\WINDOWS\system32\qflpbegx.dll deleted successfully.

Now, follow the rest of the instructions I gave you and post the requested logfiles.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Done with the very first step of deleting files with HJT.

Although I do not seem to find these: (I did not run this HJT in safe mode)


O18 - Protocol: ipp - (no CLSID) - (no file)

O18 - Protocol: msdaipp - (no CLSID) - (no file)

Should I continue with the procedures and ignore this?

Please advice.