Please help - winjvd32.dll?

Hi,

During a stupid internet session surfing suspicious sites, I wasn't wary enough to make sure I dont get infected, and surely enough, I got infected!

Initial scan with Norton Antivirus revealed several threats (none of which it took care of), one of them being winjvd32.dll. Subsequent scan with adaware revealed a series of smitfraudC, and took care of them. However, annoying popups still appeared. I used msconfig to prevent any unwanted startup programs from starting, uninstalled many programs from add/remove such as toolbar, safety alert! and other adwares that installed without my permission, and re-ran Norton and Adaware as well as Spybot and removed other threats. However, certain infections could not be removed and when I'm not connected, something is still trying to access the internet. So I proceeded by following each one of your steps, (several logs can be found attached):

Microsoft Malicious software removal tool revealed nothing
Spybot revealed infection by SmitfraudC.toolbar888 and fixed it
Counterspy revealed nothing (Could not run Defender due to authenticity problems)
Bitdefender revealed winjvd32.dll but could not fix or delete (log attached)
Panda Active Scan revealed 5 adware and 7 potentially unwated tools, most of which were not detected by previous scans. (log attached)

I believe it is important to point out that I couldn't run the 2 internet scans from Safe mode. Even with networking support, my network card was not turned out/couldn't be turned on, so I couldn't connect to the internet.

I ran GetRunKey and ShowNew, however, I dont think they worked properly as they both couldn't run locate.com or ltime.exe for reasons that I couldn't figure out. The logs are available on request.

A highjackthis log is also attached.

Can you please help me? I can't connect to the internet more than 5 minutes without having extra things getting downloaded and installed without my permission, making the use of my computer very hard.

Thanks in Advance,
Artephius

 

Please see the below thread on how to install and run VundoFix.

• Virtumonde aka Trojan Vundo Fix w/ Tool ...

Once you complete the scan above, attach the log from the scan, a fresh HJT log and a fresh Panda log.

 

Hi again,

Thanks for the speedy reply, however, VundoFix did not find anything and thus didn't find anything.

Do you still want a new HJT log or is the old still good enough?

Unfortunately, when I connected to the internet, a bunch of new things got blocked (maybe partially) by Norton, and CounterSpy blocked 2 programs from adding themselves to startup.

Thanks

 

A possible reason is because of the programs you have running. Also, when I request new logs you must attach new logs as they change on reboot.

Reboot into Safe Mode and run VundoFix, be sure nothing is loaded as in antispy. Also, I would go ahead and uninstall CounterSpy if you installed during the READ ME. VundoFix will remove this but nothing cant be running such as antivirus or antispy or else they will block the fix.

Once you try this above in Safe Mode with nothing else running, reboot back to normal mode and attach the log with a fresh HJT log.

 

I did what you asked (Uninstalled CS and reboot to safemode to run VundoFix) and it still says that it found nothing.

Attached is the new log.

Awaiting instruction

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now, scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {27354FFB-9762-46F7-8B79-A8EF18374150} - C:\WINDOWS\system32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {33EFB109-A074-4CE8-AF09-A7B0DEEED5DC} - \
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\ymmrwhwl.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\yayabxy.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: yayabxy - C:\WINDOWS\SYSTEM32\yayabxy.dll

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\yayabxy.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\ymmrwhwl.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Once you complete this post, reboot once more and attach a fresh HJT log. Also let me know how things are running.

 

So I did what you asked, and my computer seems ok...

Attached is the HJT log, its up to you to confirm if my computer really is ok.

Two of the entries you made me delete in HJT are still there, is it normal?

Thanks alot!

 

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of yayabxy.dll once and then click the kill button. After you have killed all of the yayabxy.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of yayabxy.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\yayabxy.dll
O20 - Winlogon Notify: yayabxy - C:\WINDOWS\SYSTEM32\yayabxy.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\yxbayay.ini
C:\WINDOWS\SYSTEM32\yxbayay.ini2
C:\WINDOWS\SYSTEM32\yxbayay.bak
C:\WINDOWS\SYSTEM32\yxbayay.bak1
C:\WINDOWS\SYSTEM32\yxbayay.bak2
C:\WINDOWS\SYSTEM32\yxbayay.tmp
C:\WINDOWS\SYSTEM32\yayabxy.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Hi again,

I tried running Process Explorer, however, when I went to the properties of the services.exe, then the threads tab, it shows me an error (only the first time tho) telling me something about not having the right version of windows debugging and that I have to download a new version. When I clicked ok, all I saw was !CreateThread+0x22 in all of the start addresses, so I have no idea which ones are the right DLLs to kill.
When I go to the properties of explorer.exe, there is none that is called yayabxy.dll but 4 named ddayx.dll. Any relation?

What should I do now? Do you have a version of windows debug I can download.

Thanks

 

First, I didnt request you do anything with "services.exe", second you MUST STOP rebooting your computer. Each time you reboot the file renames itself making my fixes useless.

Attach a fresh HJT log and DO NOT REBOOT until you hear from me.

 

Sorry bout that, I meant winlogon.exe instead of services.exe. (Service.exe happpens to be the first one in its tree) However, I still get the same error in winlogon and I can't see any of the threads, rather some kind of string (that I wrote above) Is there a way to go around that problem or should I just forget about it and kill the process from explorer.exe only?

The reason why I keep rebooting is that I can't connect to the internet from Safe Mode with Networking (My network card isn't detected). I can check the internet from another computer, but to post HJT logs, I have to use the infected computer (I can't transfer files using a USB key when in safe mode because my USB ports aren't detected either). After connecting, you tell me to go back to safe mode, hence the reboot. Is there a way I can do everything (Process Explorer and Killbox) from normal mode or conversely, is there a way to manage to connect from safe mode so I can always stay in safe mode? I'll post another HJT log that I got from normal mode. If you tell me how to connect from safe mode, I'll then post another HJT log from safe mode (as I have to reboot to get to safe mode.)

Sorry for the misunderstanding.

 

Here's the new log. I wont reboot this time .

Thanks!

 

Let's try this once more...

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddayx.dll once and then click the kill button. After you have killed all of the ddayx.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of ddayx.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {A7D82797-1C33-4155-97EA-DE23182BD356} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\sdqyokkv.dll (file missing)

O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\xyadd.ini
C:\WINDOWS\SYSTEM32\xyadd.ini2
C:\WINDOWS\SYSTEM32\xyadd.bak
C:\WINDOWS\SYSTEM32\xyadd.bak1
C:\WINDOWS\SYSTEM32\xyadd.bak2
C:\WINDOWS\SYSTEM32\xyadd.tmp
C:\WINDOWS\system32\ddayx.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Ok, so here's the update.

Over the past few days, I tried what you told me to and other combinations and it doesn't work. I can't use process explorer to kill the appropriate threads in winlogon.exe, only in explorer.exe. I tried using a similar program (Security Task Manager from Neuber) It detects the process and gives it a high security rating. It tries to kill the process and quarantine the file but fails to do so. Killbox can't delete the dll either. While rebooting, it says "PendingFileRenameOperations Registry Data has been Removed by External Process". Upon manual reboot, nothing has changed. From what hijackthis says about the file (or at least the BHO it creates) it says that the file is active very early in the bootup, which I guess means that it opens prior to any program that tries to delete it and kills the process before. Using Security Task Manager, I managed to get the text in the file (see attached). Also attached is a HJT log, which hasn't changed substantially since last time. Finally, I dont think rebooting changes the name of the file, rather I think connecting to the internet does. What do you think?

So what's next now?
Artephius.

 

That fix will work if done properly, I have personally tested it so I know it works on all variants however you must do it exactly as it appears. Based on your current HJT log this fix will remove this trojan if ran exactly as below.

You must close any antivirus and antispy programs so they will not block anything!

Also, when running Process Explorer, close any "ddayx.dll" you see running in either "winlogon.exe" or "explorer.exe". They're may be 4 in one and none in the other, it varies just look in both and kill any you see.

VundoFix, take 3:

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddayx.dll once and then click the kill button. After you have killed all of the ddayx.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of ddayx.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {9A12E2E7-169B-49CC-8297-62C1B17181B7} - C:\WINDOWS\system32\ddayx.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\xyadd.ini
C:\WINDOWS\SYSTEM32\xyadd.ini2
C:\WINDOWS\SYSTEM32\xyadd.bak
C:\WINDOWS\SYSTEM32\xyadd.bak1
C:\WINDOWS\SYSTEM32\xyadd.bak2
C:\WINDOWS\SYSTEM32\xyadd.tmp
C:\WINDOWS\system32\ddayx.dl

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.