Very Strange AutoRun Entry? BMd75f45c6

Hi,

Definitly something up with my computer today. I d'led a torrent yesterday for a FLV to SWF converter.... scanned it, but nothign came up in scan.

This morning I turned on my computer and at first the Desk Top would not load. So I shut down and started again, it loaded. Then I noticed that on some of the web sites I own, some of my graphics were replaced with what seems like Spyware/Adware... on my computer the graphics are changed w/ links/graphics to other crap... I double checked on my BF's computer and I see that the graphics show as normal, so I must have a virus, Trojan... etc something is definitely on my system. i also noticed that my Wacom tablet won't work. It won't draw anything, thought the mouse works fine.

In the Autoruns... startup I notice and entry called
BMd75f45c6 and the location is listed as:
Rundll32.exe "C:\WINDOWS\system32\kfaurftq.dll,s

I tried to use a-Squared HiJack Free to disable this from startup (uncheck), but it seems to replicate itself even though it has been uncheked.

So I went in and I right clicked and deleted the object from AutoRun.

Even though I delete it, it keeps coming back.

I've searched for "kfaurftq.dll,s" and "BMd75f45c6" on Google, but nothing comes up.

Any ideas what this is and how to get rid of it?

I'm going thru the Malware removal guide after I finish a deep, thorough scan with Avast... but figured I'd post this up to see if anyone is familiar with it.

Thanks!

 

Hi Chaslang,

Hope you are doing well

It looks like I do have Vundo, and maybe something else. I've gone through the removal guide, but seem to still be infected with something because on a web site I own, I see one image being replaced by some warning about being infected with Spyware, and it's supposed to be a different image. I looked at the site on my boyfriend's computer and it shows the normal image, so there is definitly some sort of Spyware/Adware on my system.

I've made notes of some things I encountered while running the Malware removal guide steps.

The notes are below. Logs are attached.

Avast found Virtumonde/Vundo

VUNDO REMOVAL VIA VundoFix V7.0.3
Found 6 Instances
C:\WINDOWS\system32\dfwyrlni.dll
C:\WINDOWS\system32\IijSBJjl.ini
C:\WINDOWS\system32\IijsbJjl.ini2
C:\WINDOWS\system32\inlrywfd.ini
C:\WINDOWS\system32\ljJBSjiI.dll
C:\WINDOWS\system32\PWRISOSH.dll


Virus Removal Notes _ Step Thru Malware Guide

REMOVED
Java (TM)SE Runtime Environment 6 Update 1
Java (TM) 6 Update 2
J2SE Runtime Environment 5.0 Update 11
UPDATED w/ Current V of JRE

Scanned w/ SUPERAntiSpyware
Results:
Adware.Vundo Variant/Resident 2
Trojan.Downloader-NewJuan/VM 2
Adware.Vundo-Variant/E 3
Adware.Vundo-Variant/Small-A 9
Adware.Vundo-Variant 5

After I came back from rebooting, I got these "error messages"
Error Loading:
c:\WINDOWS\system32\kfaurftq.dll
c:\WINDOWS\system32\woetatoo.dll
c:\WINDOWS\system32\mptiqksw.dll

SPybot S&D

Ran it
Found
Windows Active Desktop 1 Entry
Virtumonde 3 Entries
Virtumonde.dll 8 Entries

Selected to Fix items,
The screen froze. I began to wait to see if the freeze would resolve, but while I waited I got a message that said:
Failed to load C;\Program Files\Spybot - Search_Destroy\DelZip179.dll
That window kept popping up and would not go away, so I had kept pressing "OK a zillion times" and finally it went away and then the S&D screen showed the green checkmarks that are to display when something has been fixed.
Closed Spybot S&D.

Ran Malwarebytes' AM
Could not delete
C:\WINDOWS\system32\atklkgny.dll_old
C:\WINDOWS\system32\rqRHbyOi.dll_old

After I came back from rebooting, I got these "error messages"
Error Loading:
c:\WINDOWS\system32\atlkgny.dll
c:\WINDOWS\system32\ubgwqdrl.dll

I pressed OK to clear these.

I went on to try to run ComboFix, but it seemed to do nothing and not combofix.txt log was created in C. I followed the instructions. All my startup entries were on though. I hadn't changed that setting from when I unchecked selective startup at the beginning of me using the Guide.

 

Just trying to attach an image of the site I noticed the problem on.

 

I thought I'd add that I just went to FileResearchCenter.com and ran the process check and it found Vundo still:
Running Applications
Adware.Vundo-Variant/Small-A.Process XTDWXPLO.DLL ADWARE/Adware.Vundo-Variant/Small-A.Process More Info
Description
Adware.Vundo-Variant/Small-A.Process

File Location on your Computer
C:\WINDOWS\SYSTEM32\XTDWXPLO.DLL

Registry Path and CLSID where file was detected on your Computer

File Size (bytes)
85056 MD5 Checksum/Fingerprint
CF54B6AC85ED72F26F5325720D1AEF1A
Company Name
Unknown Company Url/Website
File Version Information Show/Hide Version Information
File Description
File Version
Product Name
Product Version
Internal Name
Original File Name
Legal Copyright
Legal Trademarks
Private Build
Special Build

Is there another Vundo removal process? I already tried the fix that was suggested.

 

I wanted to add that today, after turning off the computer at night, I notice the following problems:

-On boot up, desktop icons will not load, neither does the task bar, windows start button etc. I have to "reset" my computer with the reset button on the chassis and then when I do that the icons etc come up on next boot

-In Firefox: when I click to save downloadable file, it does not prompt me as to where to save. In my Firefox settings i have it set to "Always ask me where to save file". But this is not working at all. And this is strange because it was working just fine yesterday even through my Malware guide process.

 

For some reason my screenshots from yesterday did not show up.

I am posting them so you can see... definitely something is hijacking some images when I browse and replacing with some advertisement for an anti-spyware (ha ha how ironic!).

Shall I run all the scans again, or will the logs from yesterday's scans help you out?

Also, I notice that in Firefox, whenever I click "browse" to browse to a file, it does not work at all. I have to use IE to browse to files. Very, very strange.

In IE 7 whenever I open IE, i am getting a pop up wanting to direct me to another site.

Thanks!

 

Just adding another thing I saw. In IE7, when I go to clear all private data, there is a little warning type thing at the bottom of the Internet Options window. I've never, ever seen this before.

 

Oh gosh, this just gets worse. Now I can't log in to MySpace, and I design profiles for that site. I noticed it has that silly Adware ad replacing a graphic. I can't get to the site now. I'm using Firefox.

I uninstalled and re-installed FF because it was acting buggy.

Chaslang, should I run all the scans again?

 

Oop chaslang I'm sorry. I thought these things might help. I did not know they wouldn't help out. I apologize.

 

Hi Chaslang,

To answer your questions:

This is a program I actually uninstalled. It was one I used to remote access my other computer. But I no longer use it. How may I delete these entries? Do I just go to regedit from RUN? I'm not sure where to look for it.

I got a new AntiVirus package called Avira Premium Security Suite and that had gotten rid of a few of the entries, but not all. So it seems the info you gave took care of the rest. I am going to run SpyDoctor again though because it caught a few things but I can't delete them unless I buy the program. I might go back and run it again, and copy the registry entries it says it found and manually delete them if possible.

At any rate, the adware that was replacing those graphics I mentioned is gone and I can now log into MySpace.

Attached are my new logs.

I apologize again for posting too much. I was freaking out a bit and lost my damn mind!

Thanks!

 

Hi Chaslang!

Sorry it took me a few days to get back to you, I was out of town.

I have run the things you told me and the following are the results:

-System performance is really good, internet is working.
-I did have success adding the registry entries and got the success message.

I have uninstalled Spyware Doctor per your advice.

Attached are logs.

Thanks again for your help and patience.

 

Sorry about that Chaslang, I didn't realize they were not turned off.

Check logs now and hopefully I did it right. May I turn Teatimer back on when we are finished?

I did get a Trojan warning when I rebooted. Please see screen shot attached. I sent it to Quarantine.

Things are working fine on my end.

Thanks!

 

Hi Chaslang,

Everything is fine except one thing:
I noticed that all my Firefox bookmarks are gone (thousands of them!). What is strange is that the folders are still there, but every single URL link is gone. I've searched for a backup, something, but alas, the same problem.

What do you think caused this?

Thanks!

 

Chaslang,

It turns out this is probably unrelated. I had upgraded to Firefox latest (2 version) and there is a damnable bug that deletes all bookmark entires. Frustrating to say the least.

Thanks for all your help!

Here's a cyber-chocolate-chip-cookie...
http://www.eatingwell.com/recipes/img/recipe_images/BG4642.JPG

Cheers!

 

OMG How could I forget milk!!!
http://www.germes-online.com/direct/dbimage/50311552/Milk_Flavors.jpg

Hope that is tasty. There are mini cows in case you need more.

Thanks for the help