Problem Removing Trojan.Vundo.H

Frank O · #1 4th Oct 2009, 08:55

One of our PCs running Windows XP SP3 started displaying large popups for questionable software scanning tools, then replaced the desktop image with a BSOD type background. An AVG Free 8.5 scan reported no problems.

When we attempted to install Malwarebytes with Windows booted in safe mode, the install did not execute correctly and it would not run. It appeared that Malwarebytes files were missing. Finally we used a memory stick to copy over the Malwarebytes directory from "c:\program files" obtained from a clean PC. Malwarebytes now ran and reported a number of files infected with Trojan.Vundo.H. However, Malwarebytes did not remove the files, even after a reboot.

When we attempted to install SuperAntiSpyware, we got an error message, "The system administrator has set policies to prevent this installation," and it did not install.

Log files from Malwarebytes and HijackThis are pasted below.

Thanks for any possible help on how to proceed next!

---------------------------------------------------------
Contents of mbam-log-... .txt
---------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/4/2009 8:08:15 AM
mbam-log-2009-10-04 (08-08-08).txt

Scan type: Quick Scan
Objects scanned: 106754
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\huhugafe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hupojoyu.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5275b55f-5234-4d6c-b3fd-22fa9974bf3e} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\somawofom (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{5275b55f-5234-4d6c-b3fd-22fa9974bf3e} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\kilakagoy (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\huhugafe.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\huhugafe.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\huhugafe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hupojoyu.dll (Trojan.Vundo) -> No action taken.

---------------------------------------------------------
Contents of hijackthis.log:
---------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:16 AM, on 10/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [installnet.exe] "C:\Acer\LANScope Agent\Installnet.exe" "C:\Acer\LANScope Agent\
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [5325154837] C:\Documents and Settings\Alex\Application Data\5325154837\5325154837.exe
O4 - HKLM\..\Run: [somawofom] Rundll32.exe "c:\windows\system32\huhugafe.dll",a
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6796.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\vidohosi.dll ,hupojoyu.dll c:\windows\system32\huhugafe.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: yuzevawat - {c1f51192-7cca-4b67-95bf-aaca3d281bb4} - c:\windows\system32\vidohosi.dll (file missing)
O21 - SSODL: kilakagoy - {5275b55f-5234-4d6c-b3fd-22fa9974bf3e} - c:\windows\system32\huhugafe.dll
O22 - SharedTaskScheduler: kupuhivus - {c1f51192-7cca-4b67-95bf-aaca3d281bb4} - c:\windows\system32\vidohosi.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {5275b55f-5234-4d6c-b3fd-22fa9974bf3e} - c:\windows\system32\huhugafe.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8701 bytes

**evilfantasy** · #2 4th Oct 2009, 10:08

Welcome to CJ.

Enable viewing of hidden system files & folders XP

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:
Select Show hidden files and folders.
Uncheck Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [5325154837] C:\Documents and Settings\Alex\Application Data\5325154837\5325154837.exe

O4 - HKLM\..\Run: [somawofom] Rundll32.exe \"c:\windows\system32\huhugafe.dll\",a

O20 - AppInit_DLLs: c:\windows\system32\vidohosi.dll ,hupojoyu.dll c:\windows\system32\huhugafe.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O21 - SSODL: yuzevawat - {c1f51192-7cca-4b67-95bf-aaca3d281bb4} - c:\windows\system32\vidohosi.dll (file missing)

O21 - SSODL: kilakagoy - {5275b55f-5234-4d6c-b3fd-22fa9974bf3e} - c:\windows\system32\huhugafe.dll

O22 - SharedTaskScheduler: kupuhivus - {c1f51192-7cca-4b67-95bf-aaca3d281bb4} - c:\windows\system32\vidohosi.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Now locate and delete these files. (if found)

C:\Documents and Settings\Alex\Application Data\5325154837\5325154837.exe

c:\windows\system32\huhugafe.dll

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Frank O · #3 4th Oct 2009, 11:02

Thanks much for the help. A couple of questions along the way:

Quote:

Originally Posted by evilfantasy

Now locate and delete these files. (if found)

C:\Documents and Settings\Alex\Application Data\5325154837\5325154837.exe

c:\windows\system32\huhugafe.dll

1) In addition to the 5325154837.exe file, do I take the blue highlighting correctly to mean I should also delete its .bat and .cfg files and the folder they are in (named "5325154837")?

2) When I attempt to delete c:\windows\system32\huhugafe.dll, I get an access-denied error and the file is not deleted. I'm running as administrator in safe mode, with no programs running other than Windows Explorer. Any suggestions on how to force the deletion?

Thanks again,

Frank O · #4 4th Oct 2009, 11:18

An update:

First, I should mention that besides c:\windows\system32\huhugafe.dll, I see there is a file hupojoyu.dll in the same directory that Malwarebytes reports as being infected by Trojan.Vundo. I assume I should be deleting this as well.

Besides being logged in as administrator in safe mode, I tried running cmd to get a DOS prompt to delete the above two .dll files, with no luck. I cleared their attributes with a command "attrib -r -s -h [filename]," but this also didn't work. I gather the next step might be to use a specialized file deletion tool or boot from a CD-ROM. Any suggestions on which way to go, and how to proceed?

Frank O · #5 4th Oct 2009, 12:24

Another update:

I ran across a program called MoveOnBoot (when I tried to install it, I got an error saying the system administrator had set a policy not allowing the installation, but I found I could run it by copying the .exe and .dll files from a clean PC). This succeeded in deleting c:\windows\system32\huhugafe.dll. However, I tried twice to use it to delete c:\windows\system32\hupojoyu.dll and it won't delete.

**evilfantasy** · #6 4th Oct 2009, 15:47

Yea the malware has the files locked. I'm pretty sure this is a new very hard piece of malware you have ran into. Takes a bit more work but we'll get it.

Post the two logs from these next two scans please.

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.

Now download and Run exeHelper

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Frank O · #7 4th Oct 2009, 16:57

Thanks. Here is the avplog.txt:

************************************************** ****************************
* AVPFind.bat - (c) 09/01/2009 By Chaslang *
* *
* Helps to identify potential AntiVirus Pro infected system DLL files and *
* and poosible replacement files to use during cleanup. *
************************************************** ****************************

Windows OS is

Microsoft Windows XP [Version 5.1.2600]

============= Finding copies of eventlog.dll =================================
"C:\i386\EVENTLOG.DL_" 30131 08/03/2004 10:00 PM
"C:\WINDOWS\$NtServicePackUninstall$\eventlog. dll" 55808 08/03/2004 10:00 PM
"C:\WINDOWS\ServicePackFiles\i386\eventlog.dll " 56320 04/13/2008 05:11 PM
"C:\WINDOWS\system32\eventlog.dll" 56320 04/13/2008 05:11 PM

============= Finding copies of netlogon.dll =================================
"C:\i386\NETLOGON.DL_" 181419 08/03/2004 10:00 PM
"C:\WINDOWS\$NtServicePackUninstall$\netlogon. dll" 407040 08/03/2004 10:00 PM
"C:\WINDOWS\ServicePackFiles\i386\netlogon.dll " 407040 04/13/2008 05:12 PM
"C:\WINDOWS\system32\netlogon.dll" 407040 04/13/2008 05:12 PM

============= Finding copies of scecli.dll =================================
"C:\i386\SCECLI.DL_" 71807 08/03/2004 10:00 PM
"C:\WINDOWS\$NtServicePackUninstall$\scecli.dl l" 180224 08/03/2004 10:00 PM
"C:\WINDOWS\ServicePackFiles\i386\scecli.dll" 181248 04/13/2008 05:12 PM
"C:\WINDOWS\system32\scecli.dll" 181248 04/13/2008 05:12 PM

************************************************** ****************************

And here is the exehelperlog.txt:

exeHelper by Raktor - 09
Build 20090925
Run at 16:54:53 on 10/04/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Frank O · #8 4th Oct 2009, 17:26

I thought I might mention something else I noticed:

It stuck in my mind that the two dubious files in c:\windows\system 32 -- huhugafe.dll and hupojoyu.dll -- were both created on 7-3-09. I therefore used Windows Explorer to display the contents of c:\windows\system32 by date.

These other files show creation dates of 7-3-09:

ie4uinit.exe
vivodiha.dll
zanamalo.dll
iedkcs32.dll
iepeers.dll
iertutil.dll
inetcpl.cpl
jsproxy.dll
msfeeds.dll
occache.dll
urlmon.dll
wininet.dll
gahejeyu.dll
yefanopa.exe
hupojoyu.dll
wogisewo.dll

In addition, the following files have creation dates later in July or in August:

tagetega.dll
tohuzeno.exe
worusego.dll
wmp.dll
wmpdxm.dll
tzchange.exe
atl.dll
mshtml.dll
ieframe.dll
mswebdvd.dll
avgrsstx.dll
TZLog.log

The following file has a creation date of yesterday:

rayefeku.dll

And the following two files have creation dates of today:

wpa.dbl
guholata (no file extension)

Many of these filenames look very suspicious to me. Could a number of other files be involved here?

If it's beginning to look very complex to deal with this, one other option would be to save our documents onto an external drive and return the PC to its factory delivery state.

**evilfantasy** · #9 4th Oct 2009, 18:07

Quote:

Could a number of other files be involved here?

Yes. But we will get them.

Quote:

one other option would be to save our documents onto an external drive and return the PC to its factory delivery state.

Your choice. But I'm confident we can take care of this fairly quick.

We need to replace a file that is corrupted by the malware.

First:

Go to Start > Run and type notepad.exe then click OK.

Copy/paste the contents in the Code box below into Notepad.

Code:

@echo off
copy C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll c:\eventlog.dll
exit

In Notepad go to File > Save as...

Name it replace.bat Choose to "Save type as - All Files"

Locate remove.bat on your Desktop and double-click it.

Delete the remove.bat from the Desktop when finished.

Second:

Download Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
Click on Start->Run, and copy-paste the following command (the blue text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please add this log in the next reply.

C:\win32kdiag.exe -f -r

Third:

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Comment:

Files to move:
c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

Next post please add:

Win32kDiag.txt
Avenger log

Frank O · #10 4th Oct 2009, 20:27

Quote:

Originally Posted by evilfantasy

Download Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
Click on Start->Run, and copy-paste the following command (the blue text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please add this log in the next reply.

C:\win32kdiag.exe -f -r

When I click on Start->Run and enter "C:\win32kdiag.exe -f -r", a DOS window opens with the name of the command at the top. The window has a plain black background, and a white cursor jumps around repeatedly in the window. It's been doing this for about 15 minutes now. Is this normal? How long does the scan usually take? Should I abort and retry? I'm working on the PC in safe mode logged on as administrator.