Very Strange AutoRun Entry? BMd75f45c6

Discussion in 'Malware Help (A Specialist Will Reply)' started by webgyrl, Apr 7, 2008.

  1. webgyrl

    webgyrl Private E-2

    Hi,

    Definitly something up with my computer today. I d'led a torrent yesterday for a FLV to SWF converter.... scanned it, but nothign came up in scan.

    This morning I turned on my computer and at first the Desk Top would not load. So I shut down and started again, it loaded. Then I noticed that on some of the web sites I own, some of my graphics were replaced with what seems like Spyware/Adware... on my computer the graphics are changed w/ links/graphics to other crap... I double checked on my BF's computer and I see that the graphics show as normal, so I must have a virus, Trojan... etc something is definitely on my system. i also noticed that my Wacom tablet won't work. It won't draw anything, thought the mouse works fine.

    In the Autoruns... startup I notice and entry called
    BMd75f45c6 and the location is listed as:
    Rundll32.exe "C:\WINDOWS\system32\kfaurftq.dll,s

    I tried to use a-Squared HiJack Free to disable this from startup (uncheck), but it seems to replicate itself even though it has been uncheked.

    So I went in and I right clicked and deleted the object from AutoRun.

    Even though I delete it, it keeps coming back.

    I've searched for "kfaurftq.dll,s" and "BMd75f45c6" on Google, but nothing comes up.

    Any ideas what this is and how to get rid of it?

    I'm going thru the Malware removal guide after I finish a deep, thorough scan with Avast... but figured I'd post this up to see if anyone is familiar with it.

    Thanks!
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. webgyrl

    webgyrl Private E-2

    Hi Chaslang,

    Hope you are doing well :)

    It looks like I do have Vundo, and maybe something else. I've gone through the removal guide, but seem to still be infected with something because on a web site I own, I see one image being replaced by some warning about being infected with Spyware, and it's supposed to be a different image. I looked at the site on my boyfriend's computer and it shows the normal image, so there is definitly some sort of Spyware/Adware on my system.

    I've made notes of some things I encountered while running the Malware removal guide steps.

    The notes are below. Logs are attached.

    Avast found Virtumonde/Vundo

    VUNDO REMOVAL VIA VundoFix V7.0.3
    Found 6 Instances
    C:\WINDOWS\system32\dfwyrlni.dll
    C:\WINDOWS\system32\IijSBJjl.ini
    C:\WINDOWS\system32\IijsbJjl.ini2
    C:\WINDOWS\system32\inlrywfd.ini
    C:\WINDOWS\system32\ljJBSjiI.dll
    C:\WINDOWS\system32\PWRISOSH.dll


    Virus Removal Notes _ Step Thru Malware Guide

    REMOVED
    Java (TM)SE Runtime Environment 6 Update 1
    Java (TM) 6 Update 2
    J2SE Runtime Environment 5.0 Update 11
    UPDATED w/ Current V of JRE

    Scanned w/ SUPERAntiSpyware
    Results:
    Adware.Vundo Variant/Resident 2
    Trojan.Downloader-NewJuan/VM 2
    Adware.Vundo-Variant/E 3
    Adware.Vundo-Variant/Small-A 9
    Adware.Vundo-Variant 5

    After I came back from rebooting, I got these "error messages"
    Error Loading:
    c:\WINDOWS\system32\kfaurftq.dll
    c:\WINDOWS\system32\woetatoo.dll
    c:\WINDOWS\system32\mptiqksw.dll

    SPybot S&D

    Ran it
    Found
    Windows Active Desktop 1 Entry
    Virtumonde 3 Entries
    Virtumonde.dll 8 Entries

    Selected to Fix items,
    The screen froze. I began to wait to see if the freeze would resolve, but while I waited I got a message that said:
    Failed to load C;\Program Files\Spybot - Search_Destroy\DelZip179.dll
    That window kept popping up and would not go away, so I had kept pressing "OK a zillion times" and finally it went away and then the S&D screen showed the green checkmarks that are to display when something has been fixed.
    Closed Spybot S&D.

    Ran Malwarebytes' AM
    Could not delete
    C:\WINDOWS\system32\atklkgny.dll_old
    C:\WINDOWS\system32\rqRHbyOi.dll_old

    After I came back from rebooting, I got these "error messages"
    Error Loading:
    c:\WINDOWS\system32\atlkgny.dll
    c:\WINDOWS\system32\ubgwqdrl.dll

    I pressed OK to clear these.

    I went on to try to run ComboFix, but it seemed to do nothing and not combofix.txt log was created in C. I followed the instructions. All my startup entries were on though. I hadn't changed that setting from when I unchecked selective startup at the beginning of me using the Guide.
     

    Attached Files:

  4. webgyrl

    webgyrl Private E-2

    Just trying to attach an image of the site I noticed the problem on.
     
    Last edited: Apr 8, 2008
  5. webgyrl

    webgyrl Private E-2

    I thought I'd add that I just went to FileResearchCenter.com and ran the process check and it found Vundo still:
    Running Applications
    Adware.Vundo-Variant/Small-A.Process XTDWXPLO.DLL ADWARE/Adware.Vundo-Variant/Small-A.Process More Info
    Description
    Adware.Vundo-Variant/Small-A.Process

    File Location on your Computer
    C:\WINDOWS\SYSTEM32\XTDWXPLO.DLL

    Registry Path and CLSID where file was detected on your Computer

    File Size (bytes)
    85056 MD5 Checksum/Fingerprint
    CF54B6AC85ED72F26F5325720D1AEF1A
    Company Name
    Unknown Company Url/Website
    File Version Information Show/Hide Version Information
    File Description
    File Version
    Product Name
    Product Version
    Internal Name
    Original File Name
    Legal Copyright
    Legal Trademarks
    Private Build
    Special Build

    Is there another Vundo removal process? I already tried the fix that was suggested.
     
  6. webgyrl

    webgyrl Private E-2

    I wanted to add that today, after turning off the computer at night, I notice the following problems:

    -On boot up, desktop icons will not load, neither does the task bar, windows start button etc. I have to "reset" my computer with the reset button on the chassis and then when I do that the icons etc come up on next boot

    -In Firefox: when I click to save downloadable file, it does not prompt me as to where to save. In my Firefox settings i have it set to "Always ask me where to save file". But this is not working at all. And this is strange because it was working just fine yesterday even through my Malware guide process.
     
  7. webgyrl

    webgyrl Private E-2

    For some reason my screenshots from yesterday did not show up.

    I am posting them so you can see... definitely something is hijacking some images when I browse and replacing with some advertisement for an anti-spyware (ha ha how ironic!).

    Shall I run all the scans again, or will the logs from yesterday's scans help you out?

    Also, I notice that in Firefox, whenever I click "browse" to browse to a file, it does not work at all. I have to use IE to browse to files. Very, very strange.

    In IE 7 whenever I open IE, i am getting a pop up wanting to direct me to another site.

    Thanks!
     

    Attached Files:

  8. webgyrl

    webgyrl Private E-2

    Just adding another thing I saw. In IE7, when I go to clear all private data, there is a little warning type thing at the bottom of the Internet Options window. I've never, ever seen this before.
     

    Attached Files:

    • ie7.jpg
      ie7.jpg
      File size:
      79.9 KB
      Views:
      4
  9. webgyrl

    webgyrl Private E-2

    Oh gosh, this just gets worse. Now I can't log in to MySpace, and I design profiles for that site. I noticed it has that silly Adware ad replacing a graphic. I can't get to the site now. I'm using Firefox.

    I uninstalled and re-installed FF because it was acting buggy.

    Chaslang, should I run all the scans again?
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to stop posting!!! You are making it take longer to get and answer. Please read the sticky threads. Especially this one: Don't Bump! It Only Hurts You!!!

    Any post you add is a bump whether intentional or not. None of the additional posts you made after attaching your logs were necessary or needed.
     
  11. webgyrl

    webgyrl Private E-2

    Oop chaslang I'm sorry. I thought these things might help. I did not know they wouldn't help out. I apologize.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You just needed to wait for us to look at your logs and give you a fix. And here it is.

    Why does the below process need to be run at startup and why does it need to be loaded twice?
    O4 - HKLM\..\Run: [Avvenu Update] D:\Program Files\Avvenu\Avvenu_updater.exe
    O4 - HKLM\..\Run: [Avvenu Access n Share Update] "D:\Program Files\Avvenu\Avvenu_updater.exe"

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {4B561BDD-3567-4028-9BFA-271157E63421} - C:\WINDOWS\system32\ljJBSjiI.dll (file missing)
    O2 - BHO: {77d16753-daf0-18b8-1654-d7635bb873d5} - {5d378bb5-367d-4561-8b81-0fad35761d77} - C:\WINDOWS\system32\thmgkeut.dll
    O2 - BHO: (no name) - {8A932032-B180-497C-B8A1-FB53C0AD8520} - C:\WINDOWS\system32\byXRjjGW.dll
    O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINDOWS\system32\yayAPGxu.dll
    O2 - BHO: (no name) - {AB6A63FF-91F8-46FF-A9F3-7B60DB646CB9} - C:\WINDOWS\system32\rqRHbYOi.dll (file missing)
    O2 - BHO: (no name) - {E6C25AF3-5F5C-4549-A472-B907035D0A42} - C:\WINDOWS\system32\iiffCVLe.dll (file missing)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [d46c765a] rundll32.exe "C:\WINDOWS\system32\xtdwxplo.dll",b
    O4 - HKLM\..\Run: [BMd75f45c6] Rundll32.exe "C:\WINDOWS\system32\voyjobvi.dll",s
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O20 - Winlogon Notify: yayAPGxu - C:\WINDOWS\SYSTEM32\yayAPGxu.dll

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! If you still have problems, put all of them in the same message as the above logs and then please wait for an answer.
     
  13. webgyrl

    webgyrl Private E-2

    Hi Chaslang,

    To answer your questions:
    This is a program I actually uninstalled. It was one I used to remote access my other computer. But I no longer use it. How may I delete these entries? Do I just go to regedit from RUN? I'm not sure where to look for it.

    I got a new AntiVirus package called Avira Premium Security Suite and that had gotten rid of a few of the entries, but not all. So it seems the info you gave took care of the rest. I am going to run SpyDoctor again though because it caught a few things but I can't delete them unless I buy the program. I might go back and run it again, and copy the registry entries it says it found and manually delete them if possible.

    At any rate, the adware that was replacing those graphics I mentioned is gone and I can now log into MySpace.

    Attached are my new logs.

    I apologize again for posting too much. I was freaking out a bit and lost my damn mind!

    Thanks!
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can fix those lines using C:\MGtools\analyse.exe like you did in the fix in message # 12.

    I recommend that you uninstall this trial of Spyware Doctor as it is just wasting system resources.

    We have a little more to do.

    Shutdown your protection software (like Avira, A-Squared...etc) before doing the below to avoid having them get in the way.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F3 - REG:win.ini: load=
    F3 - REG:win.ini: run=
    O2 - BHO: (no name) - {E6C25AF3-5F5C-4549-A472-B907035D0A42} - C:\WINDOWS\system32\iiffCVLe.dll (file missing)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    After clicking Fix, exit HJT.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  15. webgyrl

    webgyrl Private E-2

    Hi Chaslang!

    Sorry it took me a few days to get back to you, I was out of town.

    I have run the things you told me and the following are the results:

    -System performance is really good, internet is working.
    -I did have success adding the registry entries and got the success message.

    I have uninstalled Spyware Doctor per your advice.

    Attached are logs.

    Thanks again for your help and patience.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have Spybot's Teatimer running which may have interferred with proper removal of the O2 BHO line last time. Disable Teatimer per the READ ME instructions, reboot, and then do the below.

    Shutdown your protection software (like Avira, A-Squared...etc) before doing the below to avoid having them get in the way.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    O2 - BHO: (no name) - {E6C25AF3-5F5C-4549-A472-B907035D0A42} - (no file)

    After clicking Fix, exit HJT.


    Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  17. webgyrl

    webgyrl Private E-2

    Sorry about that Chaslang, I didn't realize they were not turned off.

    Check logs now and hopefully I did it right. May I turn Teatimer back on when we are finished?

    I did get a Trojan warning when I rebooted. Please see screen shot attached. I sent it to Quarantine.

    Things are working fine on my end.

    Thanks!
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Only when we are totally finished and if it is what you plan on using for active realtime antispyware protection.

    This was not necessary. It was only what I just had you delete in my last fix and it was already in the Avenger quarantine.

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    2. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had you run Avenger, you can delete all files related to Avenger now.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  19. webgyrl

    webgyrl Private E-2

    Hi Chaslang,

    Everything is fine except one thing:
    I noticed that all my Firefox bookmarks are gone (thousands of them!). What is strange is that the folders are still there, but every single URL link is gone. I've searched for a backup, something, but alas, the same problem.

    What do you think caused this?

    Thanks!
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Unknown unless it was somehow related to one of your infections doing this. None of the scans we ran deleted any bookmarks. If they had, it would have showed in the logs.
     
  21. webgyrl

    webgyrl Private E-2

    Chaslang,

    It turns out this is probably unrelated. I had upgraded to Firefox latest (2 version) and there is a damnable bug that deletes all bookmark entires. Frustrating to say the least.

    Thanks for all your help!

    Here's a cyber-chocolate-chip-cookie...
    http://www.eatingwell.com/recipes/img/recipe_images/BG4642.JPG

    Cheers!
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Thanks for the cookies! Now where is that glass of milk. :D
     
  23. webgyrl

    webgyrl Private E-2

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    LOL! Thanks & you're welcome again.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds