Another Virtumonde Problem
- Thread starter K_nan
- Start date
Hi
I see you've run VundoFix earlier. Let's check what it has removed. I've seen some case where VundoFix accidentally removed bunch of legal files making system ready for reformat.
Creating & executing batch file
-------------------------------
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file findFiles.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here)
@echo off
c:
cd\VundoFix backups
dir *.* /s >findFiles.txt
notepad findFiles.txt
Double-click on findFiles.bat file to execute it.
Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe -> something.exe
Start hjt (by clicking something.exe file), do a system scan, check (if found):
O2 - BHO: (no name) - {CA9840B8-7CF8-4761-BA31-B636059D7EDA} - C:\WINDOWS\system32\rqRKDWMc.dll (file missing)
O2 - BHO: (no name) - {D760BB28-F11D-44D9-AC34-E74BCE8B1C71} - C:\WINDOWS\system32\yayvUMCr.dll (file missing)
O4 - HKLM\..\Run: [BM4fdea442] Rundll32.exe "C:\WINDOWS\system32\bfkekfva.dll",s
O4 - HKLM\..\Run: [4ced97de] rundll32.exe "C:\WINDOWS\system32\dlymvbvh.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AB364.dat
Close browsers and fix checked.
Please download the OTMoveIt2 by OldTimer.
I see you've run VundoFix earlier. Let's check what it has removed. I've seen some case where VundoFix accidentally removed bunch of legal files making system ready for reformat.
Creating & executing batch file
-------------------------------
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file findFiles.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here)
@echo off
c:
cd\VundoFix backups
dir *.* /s >findFiles.txt
notepad findFiles.txt
Double-click on findFiles.bat file to execute it.
Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe -> something.exe
Start hjt (by clicking something.exe file), do a system scan, check (if found):
O2 - BHO: (no name) - {CA9840B8-7CF8-4761-BA31-B636059D7EDA} - C:\WINDOWS\system32\rqRKDWMc.dll (file missing)
O2 - BHO: (no name) - {D760BB28-F11D-44D9-AC34-E74BCE8B1C71} - C:\WINDOWS\system32\yayvUMCr.dll (file missing)
O4 - HKLM\..\Run: [BM4fdea442] Rundll32.exe "C:\WINDOWS\system32\bfkekfva.dll",s
O4 - HKLM\..\Run: [4ced97de] rundll32.exe "C:\WINDOWS\system32\dlymvbvh.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AB364.dat
Close browsers and fix checked.
Please download the OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:C:\WINDOWS\system32\__c00AB364.dat C:\WINDOWS\system32\ovrefnyj.dll C:\WINDOWS\system32\juxsmxpk.dll C:\WINDOWS\system32\__c0094D98.dat C:\WINDOWS\system32\fcsalldk.dll C:\WINDOWS\system32\ilyjspyj.dll C:\WINDOWS\system32\tcehuloa.dll C:\WINDOWS\system32\hcjuybnl.dll C:\WINDOWS\system32\wcsfhqtx.dll C:\WINDOWS\system32\cmmijjxs.dll C:\WINDOWS\system32\bfggnubw.dll C:\WINDOWS\system32\ecpmqeej.exe C:\WINDOWS\system32\wtucejye.dll C:\WINDOWS\system32\dlymvbvh.dll C:\WINDOWS\system32\bfkekfva.dll C:\WINDOWS\system32\cMWDKRqr.ini2 C:\WINDOWS\system32\awtsPFVo.dll C:\WINDOWS\system32\__c00CAE93.dat C:\WINDOWS\system32\wfpoeuwk.dll C:\327882R2FWJFW C:\WINDOWS\system32\__c0027EB.dat C:\WINDOWS\system32\xaKlnnpo.ini2 C:\WINDOWS\system32\rCMUvyay.ini2 C:\WINDOWS\system32\fccbBQIX.dll C:\WINDOWS\system32\yayvUOgF.dll - Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt2
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.