Help! two week dilemma, looks to be malware, logs attached

Thanks in advance for anyone's help. I'm used to being tied to a computer to do almost everything so the last two weeks have been ROUGH! Computer started acting funny (Toshiba Tecra M7 laptop, docked via a Dynadock, DSL, McAfee 2008 Suite, lots of internet use, recent exposure/addiction to PirateBay <--which probably started the whole thing with questionable downloads) and in particular, all desktop icons would disappear, so I'd Task Mgr and look to see if explorer.exe was running, and sure enough, it wouldn't be...I'd choose file, run, 'explorer.exe', icons back, all OK, 3ish days later, Firefox ground to a halt...'Hung App' over and over, Task Mgr showed two firefox.exe's running...weird. I'd kill them both, restart Firefox and all would be OK, but had to do it every freakin 5 minutes. Not good. I googled and found potential virus that gets in and turns itself into a filename already having access thru your firewall...Ughh. So I told McAfee not to let Firefox have any access and sure enough, no more double Firefox.exe's, the problem moved instantly over to explorer.exe...two of them. One is only about 3mb, the other is about 24mb...the 24mb is running my icons and the 3mb one wouldn't stop, didn't react to end process or end process tree. In reading about it, only Avira AntiVir seemed to know much about this, so I downloaded it and ran it...it started finding a moving target Trojan doing it's active Guard (105 instances in the last 20 hours). I did two full scans within that timeframe and it found 23 problems - logs attached.

To try to figure out more about the phantom explorer.exe, I downloaded Security Task Manager, since it touted full control over the processes shown as active in the regular Task Mgr. Having both the standard one up and the Security Task Manager up, they were completely the same EXCEPT for the second explorer.exe...it was nowhere to be found on the 'special' Task Mgr.

I hated downloading a bunch of stuff to solve problems, but I hadn't yet heard about submitting Hijackthis logs for review and help, so I was just trying to get a grip on whatever has made it's way in. While watching AntiVir find dll's and others that it deems to be TR/Vundo.gen malware (mllml.dll <---about 70 instances of this one), myigoane.dll, nqrcirxa.dll, vvonsmcl.dll, ptch[1], hctp[1], cmp638[1], txntxytl.dll, sonjxhrv.dll, A0071318.dll, A0071306.dll, hkxtmqbk.dll, hpfpukjl.dll <--about 20 instances of this one so far), vpgqhhtq.dll, A0066430.dll, A0066927.dll, A0066930.dll, A0066929.dll, A0066928.dll, A0066972.dll, A0066974.dll, A0067065, A0067140.dll, A0067164.dll, A0067303.dll, A0067318.dll, A0067381.dll, A0067367.dll, A0067368.dll, A0070180.dll, A0071306.dll and 0071312.dll I found your site and just downloaded hijackthis. As directed, I renamed the exe file 'analyse.exe', made sure my computer was set to normal boot (it already was), rebooted and scanned. The log is attached.

Please help me get rid of this thing and in the meantime I am reading up on your other areas of the site that detail safer ways to accept data and things I can do to keep this from happening again.

Thx!
Scott

 

Welcome to MajorGeeks!

Two weeks is a long time to be pulling your hair out over this! ACK! lol

Please follow the steps in our READ AND RUN ME FIRST Malware Removal Guide and attach the requested logs. Someone will be along to assist you as soon as possible.

Good Luck!

 

Hi gasoline_smells_great,
Welcome to Major Geeks!
I don't find the smell of gasoline so great, although I used to like the fumes when riding through a long tunnel.

Please follow the instructions in the READ & RUN ME FIRST and post the requested logs when you finish. It's important to do the steps in order and to not skip any. In case your system is not in normal startup mode, please follow the instructions with msconfig to put it into normal startup mode.

Thanks.
abri

 

Hi all,

Thanks to both of you who responded, your time is much appreciated! Here's a summary (with all the latest events included and a log attached);

-Two weeks ago, icons would disappear, checked Tsk Mgr, explorer.exe running (but really small mem usage), force run new task explorer.exe would bring back icons, Tsk Mgr would show 2 explorer.exe's? Had to start doing it regularly to keep working.

-all of sudden, it switched to Firefox, bogged down the program and Tsk Mgr showed 2 firefox.exe's...force end process solved it but would then happen again, and again, etc

-McAfee saw nothing
-'Security Tsk Mgr' didn't see the duplicate processes regular Tsk Mgr saw
-googling 'duplicate firefox.exe' led me to Avira Antivir, installed and it found lots of moving TR/Vundo.gen files, found and quarantined all but C;/windows/system32/mllml.dll
-read your 'do this first' list, downloaded ATF-Cleaner and Spybod S&D, ran both...S&D found a bunch of stuff, including some instances of Vundo and said all-clear after fix.
-since Avira said files were TR/Vundo.gen, I downloaded and ran Vundofix and it found 3 Vundo files (all in C:/windows/system32 - lmllm.ini, lmllm.ini2 and mllml.dll) clicked remove and it locked up, reboot, again, locked up
-rebooted in Safe mode, logged in as Admin, ran Vundofix again and it worked, rebooted back into Safe mode and ran Vundo fix...no infected files found
-rebooted in Normal mode and computer hung at 'Windows is Starting Up', force quit and tried three more times, same thing.
-rebooted +F8 and chose 'Startup in Last Known Good Configuration' and here I am...hope it boots up right when I shut down later!!

-Only two issues I know of now is 1. a RunDLL error message as it tried to find the deleted file hpfpukjl.dll (quarantine in Avira didn't work, so I deleted (I know, I know) and 2. I need to uninstall Avira, since having it AND McAfee isn't good.

Please take a look at the attached log...I will keep myself logged in until someone responds in case I need to do anything in particular to ensure a good reboot next time, without having to F8 and choose 'last know good configuration'.

Thanks so much!!!!
Scott

 

Re: Help! ...looks to be malware, latest log attached - all might well now!

Hi,

I believe all is under control now. In my case, it appears that having McAfee, Avira, Spybot AND VundoFix all working together is the reason I may have beaten this POS virus. It was moving around so much and embedding itself into so many types of files that no one of those programs was seeing all of it.

At my last post, I had just rebooted with Last Known Good Configuration, after being given the all-clear by VundoFix, but I wondered whether it was really all-clear or if I might have reintroduced the virus by using last-known files to get back into Windows...I might have, as Avira found 3 files infected with TR/Vundo.gen variants, one of which was a restored file;

c:\system volume information\_restore{AECBC0AE-EE5C-443-939C-CCE0307865C3}\RP228\A0075410.dll
C:\system32\mllml.dll (again!!!)
C:\vundofix backups\mllml.dll.bad

Avira was able to quarantine all 3 of these and I deleted them. I later went into the vundofix backup folder and also found the .ini and .ini2 files that had been infected, renamed .bad, so I deleted those too.

SO...all in all, McAfee never saw a da_n thing, Avira saw 90% of the infected files, Spybot saw 50% of the infected files and VundoFix saw 80% of the infected files. Together, they fought and might just have won!

After emptying the quarantines, doing a scan with all four programs and all four showing clean, I rebooted, got the missing hpfpukjl.dll error message (again), uninstalled Avira and rebooted again. Same missing dll file (my bad early in this mess - anyone know where to get a replacement file?) and all looks to be fine. No more duplicate explorer.exe files, no more duplicate firefox.exe files, everything's operating quickly and seemingly efficiently again.

a final log is attached...please let me know if anyone sees anything strange or has recommendations.

Any help or comments are truly appreciated,
Scott

 

Hi gasoline_smells_great,

You seem to be doing fine. Carry on. lol

Well, okay, I will comment:
We don't rely exclusively on hijackthis because it doesn't give us enough information. I can see from your HJT log that you have two broken BHO's which can be fixed. That may indicate the end of the infection, but if you'd like for us to check your logs to see if they really are clean, please install and run the MGTools as per the instructions in the READ & RUN ME and attach the requested logs.

Whether you decide to do that or not, you can fix the following two entries with HJT:
(remember to close your browser before you hit the FIX button)

O2 - BHO: {690135ad-84af-e4ea-e324-55cca2817fa0} - {0af7182a-cc55-423e-ae4e-fa48da531096} - C:\WINDOWS\system32\vpgqhhtq.dll (file missing)
O2 - BHO: (no name) - {31886EFE-A165-4882-AF52-F7C2B08FAA93} - C:\WINDOWS\system32\mllml.dll (file missing)

After these two have been fixed, just close the window.

abri