Random pop-ups

By Shecky504 · 6 replies
Jan 4, 2009
  1. Hello, I have followed the 8 steps but I'm still receiving random pop-ups in Firefox on Windows XP. I've attached my 3 logs. Please let me know if you can help.
  2. rf6647

    rf6647 TS Maniac Posts: 829

    Files Infected:
    Memory Modules Infected:
    C:\WINDOWS\system32\bolfnkwy.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\pmnmLBqr.dll (Trojan.Vundo.H) -> Delete on reboot.
    MBAB did not handle all that it found until the computer restart.

    Rescan with MBAB & SAS (run as pairs) until clean or something that cannot be cleaned.

    HJT scan informs what has not been handled (computer restart before HJT scan)

    Caught by HJT. Tick & Fix . Restart computer.
    O2 - BHO: {dd3878c5-bcd0-07f8-bda4-36750fad48f1} - {1f84daf0-5763-4adb-8f70-0dcb5c8783dd} - C:\WINDOWS\system32\qpatov.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [Windows] taskmngr.exe
    O4 - HKLM\..\RunServices: [Device Manager] wfxmgr.exe
    O20 - AppInit_DLLs: qpatov.dll

    Delete no files or folders – yet.

    Please provide details for wfxmgr.exe by trying to locate it in ‘device manager’
    ( Start > run devmgmt.msc > view > show hidden devices >> the hunt begins)
  3. Shecky504

    Shecky504 TS Rookie Topic Starter

    Thank you rf6647. I followed your directions and fixed the items in HiJackThis. I was unable to find wfxmgr.exe in device manager after the restart. I have not experienced a pop-up yet either. Thank you for the help and please let me know if I should do anything else.
  4. rf6647

    rf6647 TS Maniac Posts: 829

    You indicate that the infection was handled. The referal also included advice to repeat scans with MBAM & SAS to confirm the computer is clean.

    The Mods may never move logs to this thread. Logs appear under this thread

    Some cleanup items
    • Delete file: C:\WINDOWS\system32\qpatov.dll
      • Not listed as safe - Not listed as malware
    • Use 'regedit' to remove references to qpatov.dll
      • No usage expected to be found

    Establish a new clean restore point and Clear your existing System Restore points:
    • New
      • Go to Start > All Programs > Accessories > System Tools > System Restore>
      • Select Create a restore point> OK.
    • Clear Old
      • go to Start > Run > cleanmgr > Select the More options tab >
      • Choose the option to clean up System Restore > OK

        • This will remove all restore points except the new one you just created.
  5. Shecky504

    Shecky504 TS Rookie Topic Starter

    Ok, I re-ran both programs (it takes about 2 1/2 hours to run them) and here are the new logs. I deleted the qpatov files and did as you said with the system restore as well. All seems to be well but I will run the two programs again until it is totally clean.
  6. rf6647

    rf6647 TS Maniac Posts: 829

    And remember that all-important RESTART.
    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace)
     -> Delete on reboot.
    And yes, a clean log seems superfluous over a mere statement.
  7. Shecky504

    Shecky504 TS Rookie Topic Starter

    Perfect, thanks again!
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...