Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

dvdnet.dll AKA aftermath of jkhfg.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
Vitr

Vitr

    New Member

  • Member
  • Pip
  • 1 posts
Ok. First things first, here's the hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 6:26:51 PM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Viet's Folder\ZoneAlarm\zlclient.exe
C:\Viet's Folder\iPod\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Viet's Folder\iPod\bin\iPodService.exe
C:\Viet's Folder\Winamp\winamp.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Viet\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xanga.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\VIET'S~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\dvdnet.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Viet's Folder\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Viet's Folder\iPod\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Viet's Folder\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\VIET'S~1\Yahoo\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\VIET'S~1\Yahoo\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110...nsearchie32.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093125766937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O20 - Winlogon Notify: dvdnet - C:\WINDOWS\Cursors\dvdnet.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Viet's Folder\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ok. Before anybody starts jumping to conclusions, here's a little background information.

I started out with Security Task Manager and was just dilly-dallying when one day a little process called jkhfg.dll popped up on the highest of ratings on my Security Task Manager. Being naturally curious, I took a peek at what it could be. Apparently, this little browser extention recorded everything I typed and was activated whenever IE started up. I sent a distress signal on another forum, and after a few days of deliberation, the consensus was that it was malware. SO.

I did the simplest thing any novice does. I went into c:\windows\system32, unlocked hidden and system files, clicked on the sucker and pressed delete!

But wait! Apparently it was running! After a long string of curse words, I decided to reboot into safe mode and try it in command prompt. That didn't work either.

So, I looked it up on google and for a few days, absolutely NOT entries came up. Then I saw the post on this forum, and hoped we had simliar problems. And we did. So I downloaded hijackthis and ran it, clicked on the appropriates boxes and clicked on fix selected items!

And...scanned again...and CRAP! The [bleep] thing's still there. So after an anonymous guy sent me a message telling me to use hitmanpro, I did, and even though that didn't do anything, it SOMEHOW allowed me to go into safe mode command prompt and delete jkhfg.dll.

I celebrated.

The next day, I booted up security task manager to happily scan the list of safe programs.

But wait.

What is this? dvdnet.dll!?!? CREATED ON THE SAME DAY THAT I DELETED JKHFG.DLL!?!? No! It couldn't be!

Oh, but the fun doesn't stop there. You see, jkhfg.dll was originally 25 kilobytes in size. This sucker was a whopping FIVE HUNDRED KILOBYTES! And doesn't stop there either! It came with a little friend called tendvd.ini! And the final surprise, it didn't show up in system32! It showed in the CURSORS folder in c:\windows.

I panicked and just about pissed my pants. What the [bleep] was going on? How did it replicate? Was this one of those polymorphic viruses? Was armageddon arriving?

So, I repeated my procedure. I tried hitmanpro (to no avail), hijackthis, and going into command prompt in safe mode. I unattributed it's system file attribute, it's hidden attribute, I even unattributed its read-only attribute.

And you know what? I even tried to edit dvdnet.dll in MS-DOS and wipe the file clean.

And even though it was NOT read-only, it said access denied, file is read only! I tried to delete it, and it merely said access denied!

So now I'm sitting here debating on what to do. This thing does nearly the exact same thing jkhfg.dll did, or at least Security Task Manager said so.

Here's a copy and paste of what Security Task Manager said it did:

fd0alG Ab
.ll Amu
2DfA, eYTjP
fw AosS
iyC baxS
----------------
wwme
aqyyg
GWat
JTox
GYdi
HZchpu
FXchow
DPio
ofbq
qfsob
xfufmwkbmgofq
xklpwejof
klpwejof
xqfsob
fufmwpx
vqopx
vqop
qvofpx
qvofp
jmwfqubo
obpwf
olbggoo
obpw
gfobz
lsfmojmh
gjpwqjavwjlmsfq
vqonlgjejfq
vqopfof
bnsbjdmpfof
afelqfmbujdbwf
frvbo
ofpp
pfwabmmfq
gjpsobzbg
pfwojmhwbqdfw
lnsofwf
fufmwp
fufmwkbmgofq
olpf
pkltbgbewfqqfsob
qfsob
jmwfqmbo
mbujdbwfg
obpwf
lmozlm
ojmhhfztlqgp
jmpwboo
gltmolbg
qfdubovf
bewfq
afelqf
UNMbujdbwfgSqls
qlplew_Tjmgltp_
Plewtbqf_Nj
wqbe
bo\UNOldWqbmpnjppjlmFufmw
pfqufqp
bo\UNVsgbwfPfqufqpFufmw
Dfmfqbo
lufq
bo\UNNbjmNvwf
bo\UNSqlwf
FqqlqOfufo9
JFFufmwp
Ejof
lufqWjnfq
bo\PzpVsgPwlqfPwlsBmgQf
ubojg9
ejof
vqqfmwUfqpjlm_Klwej
qlplew_Tjmgltp
jejfg
qlplew_Tjmgltp_
mvnafq
bo\PzpVsgFnfqdfm
bo\PzpVsgPwlqfVQOOjpwWjnfq,Vmkbmgofg
bo\PzpVsgVsgbwfVQOOjpwWjnfq
ebjofg
VmNbqpkboJmwfqeb
ebjofg
NbqpkboJmwfqeb
ebjofg
ebjofg
bo\PzpVsgVsdqbgfWjnfq
bo\PzpVsg
bo\PzpVsgSlsvsNvwf
lnsofwf
lnsofwf
LmMbujdbwf
LmAfelqfMbujdbwf
mvnafq
JFFufmwp
Jmulhf
mvnafq
3plovwjlmp
jmejmjwf.bgp
pvaojnleefq
bgpquf
ojmhpzmfqdz
gwjpfqu
mfw8beejojbwf
lmufqwfq
wqbeej
mfw8bylldofbgp
qfufmvf
ollh1nf
ln8ibgoldj
fmwqbo
bgpquf
mfw8pfqufq6
ln8ibubwbq
tfbwkfqavd
ln8bgpfqufq
sbowboh
ln8bgufqwjpjmd
jmfw.wqbeej
eoltdl
ln8ijnfpk
lmpvnswjlmivm
ln8abmmfqp
bgqfuloufq
bylldofbgp
rhpqu
habmh
nbqhfwsob
wqbeej
aqbufmfw
ajy8abmmfqp
almyj
bpbofnfgjb
tfbwkfqavd
jmwfqsloop
zfpbgufqwjpjmd
ln8sqfujftslsp
bgtbuf
zfpbgufqwjpjmd
ln8pfquf
qffmpbufqp
ln8gltmolbgp
zbkllep
zbkllep
ln8laif
zfpbgufqwjpjmd
qbsjgaobpwfq
byins
ubovf
ojfmwp
bwtlob
ubovf
eobpkwqb
ebohbd
bgufqwjpjmd
mfw8pfqufgaz
ebpw
jmwfoojpqu
solqfq
wqbeej
ubovfbg
ln8abmmfqp
tfbwkfqavd
ln8bee
nfgjbsof
ajy8bgebqn
ln8infgjbavz2
gfbokfosfq
bpbofnfgjb
bpbofnfgjb
bg.oldj
bpbofnfgjb
bpbofnfgjb
ln8iwkfgfoejm
wqjaboevpjlm
bpbofnfgjb
jmwfqmfwevfo
ln8bgpfqu
sffo
wqbeej
tfbwkfqavd
ln8jofbg
fmwqbonfgjb
sbqwmfq1sqlejw
jmwfqmfwevfo
jwevfo
ln8iajdslsp
sfmmztfa
ln8abmmfqp
inmbg2
qfbonfgjb
fmwqbo
bgtbuf
bgufqwjpjmd
ln8abmmfqebqn
ln8tfasgs
pkbqftbqflmojmf
mfw8bgpfqufq
glvaof
qfufmvf
bgpfqufq
wqbeej
eobpkojdkwpfbq
pvqufzp
kqfpow
ln8afpw.pfbq
pjnsoj
nbqpejmg
fbqwkojmh
bonjdkwzpfbq
ofbqpfbq
jmelqnbwjlm
aobyfejmg
efbwvqfg.qfpvowp
nztfapfbq
qbto
dfwelvmg
ln8dolabo.ejmgfq
gldsjof
aoltpfbq
mbufq
lufqwvqf
jmwfojvp
mfw8ejmg
eqffpfbq
ejmgwkftfapjwfzlvmffg
ln8qfufmvf
bowbujpwb
yfpwzejmg
ln8aobyfejmg
ln8obmgjmd
qfefqfm
ln8tfa
wmbu
sfqef
tfapfbq
polw
pklsmbu
fabz
ln8hbmllgof
blopfbq
dlldof8pfbq
kwws9,,aqlgaen
solqfq_Nbjm
qlplew_Jmwfqmfw
Gfebvow
solqfq
qlplew_Jmwfqmfw
fppevo
qlplew
qlplew_PzpVsg
qlplew_Tjmgltp_
bo\PzpVsgJpQvmmjmdNvwf
UruhU
Udmo
2Cocko
SysLogon
SysLogoff
CreateProtectProc
CreateMainProc
DllUnregisterServer
DllRegisterServer
DllMain
DllGetClassObject
DllCanUnloadNow
SetEnvironmentVariableA
mGetLocaleInfoW
IsBadCodePtr
7IsValidLocale5IsValidCodePage
EnumSystemLocalesA
GetUserDefaultLCID
UnhandledExceptionFilter
FreeEnvironmentStringsWOGetEnvironmentStringsW
FreeEnvironmentStringsAMGetEnvironmentStrings
GetStringTypeW
GetStringTypeA
SetStdHandle
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
FlushFileBuffers
GetTickCount
QueryPerformanceCounter
UTlsFreeWTlsSetValueVTlsGetValue
,IsBadWritePtrTTlsAlloc
HeapCreate
GetCPInfo
LCMapStringW
LCMapStringA
GetCommandLineA
GetCurrentProcess
GetDateFormatA
GetTimeFormatA
GetTimeZoneInformation
GetSystemTimeAsFileTime
VirtualQuery
GetSystemInfo
RtlUnwindyVirtualProtect
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
PathFindExtensionA
PathFileExistsA
4StringFromGUID2
CoInitializeEx
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CreateStreamOnHGlobal
CoMarshalInterface
CoUnmarshalInterface
CoCreateInstance
OleRun
CoTaskMemFree3StringFromCLSID
ShellExecuteA
SHGetFileInfoA
RegEnumValueA
RegQueryInfoKeyA
4SetSecurityInfo
SetEntriesInAclA
SetNamedSecurityInfoA
RegFlushKey
RegQueryValueExA
RegDeleteValueA
RegEnumKeyExA
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
UnhookWindowsHookEx
DefWindowProcA
GetSystemMetrics
MsgWaitForMultipleObjects
TranslateMessage
PeekMessageA
CreateWindowExA
SetWindowLongA
GetMessageA
DispatchMessageA
PostMessageA
SetWindowPos
,RemovePropA
GetWindowThreadProcessId
AttachThreadInput
GetActiveWindow
GetForegroundWindowCSetActiveWindow
GetKeyboardLayoutList
GetKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
LoadStringA
wvsprintfA
CharNextA
SetWindowsHookExA
GetClassNameA
GetFocus
CallNextHookEx
EGetParent
JGetPropA
FindWindowExAjSetPropA
GetDlgItem
wsprintfA
GetSystemDirectoryA
FindResourceExA
FindResourceA
MLoadResource
LockResource
ExpandEnvironmentStringsAFSizeofResource
GetSystemTime
IsBadReadPtr
tOpenFileMappingA
tVirtualAllocEx
WriteProcessMemory
CreateRemoteThread
Module32FirstwVirtualFreeExd
bModule32Next
CreateToolhelp32Snapshot
Process32First
Process32Next
ExitThread
GetTempPathA
zOpenProcess
OTerminateProcess
SetLastError
FindCloseChangeNotification
CreateDirectoryA
GetWindowsDirectoryA
SetEndOfFile
SetUnhandledExceptionFilter
SetErrorMode
GetCurrentProcessId
CreateThread
GetShortPathNameAxOpenMutexA
CreateProcessA
CopyFileA
GetFileTime
kGetLocalTime
PTerminateThreadSGetExitCodeThreadLSystemTimeToFileTime
FreeLibraryAndExitThread
ExitProcess
lstrcatA
CreateMutexA
CreateWaitableTimerA
GlobalAllocBSetWaitableTimer
FormatMessageA
GSleepRLocalFreeNLocalAlloc
DeleteFileAqOpenEventA
dMoveFileA
CreateFileMappingA
MapViewOfFileN
WaitForSingleObjectcUnmapViewOfFile
ReleaseMutex
HLoadLibraryA
GetProcAddress
FreeLibrary
WriteFile
SetFileAttributesA
GetFileSize
CreateFileAvVirtualFreesVirtualAlloc
SetFilePointer
ReadFile
InterlockedDecrement
EnterCriticalSection
InterlockedIncrement
GLeaveCriticalSection
IsDBCSLeadByte
CompareStringW
CompareStringA
CreateEventA
SetEvent
CloseHandle
GetCurrentThreadId
uGetModuleFileNameA
wGetModuleHandleA
lstrcmpiA
lstrlenA
lstrlenW
DeleteCriticalSection
InitializeCriticalSectionz
iGetLastError
RaiseException
WideCharToMultiByte
GetVersionExAkMultiByteToWideChar
GetThreadLocale
lGetLocaleInfoA
InterlockedExchange
GetVolumeInformationA
InternetOpenUrlA
InternetGetCookieA
InternetOpenA
InternetCanonicalizeUrlA
InternetReadFile
InternetCrackUrlA
InternetQueryOptionA
InternetSetOptionA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetCloseHandleW
HttpAddRequestHeadersA
SHGetFolderPathA
WTSEnumerateProcessesA
WTSFreeMemory
GetIpAddrTable
Zhta
BexqF
2brew
oyA/fzlK
/dmcvWa
qooya
i AbaxS
.oop
.oop
eqNlrkM
.wcev0
mcEluneV
meteQa
luNATxz
.wiv_
ffI3ibzQ
zuQ4tz
.wiv_
/jhelY
icEahak
gd1ubvK
0leikC
/btetIA
RatQ
OahB
.bje
.weu
zi/s/zR
BejU
pucjv
vtelIA
\xEauxM
muNabz\
adYaupM
gfE3ra
eeS5ih
/qgaCk
lzua0,
iphlpapi.dllU
riua
quew
kbO2aCh
NGea
kbO2aCv
awA5hazM
luRaknxL
.miv
odHabz
.bje
.fowT
qEAnai
CwJen
QiUbo
HwBu
JEea
DaVux
kbO2aCh
7mobqDO
zCE3nlzo
kdt.biZ
0sVijt
/brewa
FpivD
pocvy
BitU
,rmu
Sath
_heY
Tfsu
TeWb
JarLf
YLna
JoZh
vVuor5
Mazu
Jeke
BiTy
IoqK
UxiY
FibC
vu/_BidpE
WudP
,Jwub
_eSa
m bxe0
av8f b
ytpa
UuiO
TEseu
JoZh
.iOt
uoV\brr
naX
Zhi
DiIb
iwdu
Wh i
I/fu
HhqeO
\iZk
Zhi
SaHh
LsFo
spga
sASiv0a
AinF
APaj
Z/ui
AwLea
/vAw1ee
HiaL
njzulY
Juvy
ryu_xqO
x7iGZin
BuhL
FTep
/_io
ukjrq
\Cix
KNsa
Te,x
Zhi
icI
Avfeg
AinF
Avfef
AinF
uuhSdL
sfbu
LSai
Xiaw
EmiW
Gxik
AivE
AibN
EiIu
Zhi
/iqD
HR5cpoT\X5E
ZumI
Z3bDPP87Iu3/e
Xmki
UIke
EqIu
PeaG
Zhi
j7lmtVuoVj
TerA
HVau
GGsi
XsRu
YeQb
PlmIu
YDiw
EkIu
Aoxu
_qzu
SaHh
AhFwru4
AilJ
JekM
YOvuy
unuy
nggue
imNxkR
nmShiZl
nuSh.q
veyw
Ilde
sJCIlne
x4idKgU
Swp2aGDQITF
xeH8hqW
8vpgaI
MpUo
hguKQLh
.yih
Werl
/_ig
\rop
UfXa
\Bio
XCzu
Joyy
Ho/q
JowF
uABO3P_75iEv
Zhi
naao
TY.qtJ4ifY/
hKGFDNUV0aI
W mu
,lna
EiQq
Momm
DDba
AAdu
WdeY
XnikO
w4iGZin
uoVYJvy
AruZ
Momm
uqKDeIA_zrq
uoV\brrn
_Iok
Vyzu
/Wei
QniA
mbep
twii
/pwmi
waiZhHJ
pomi
AinF
UVab
Jnzwmiz
XdaIzf
Te,x
gOp_niO
wQ6iawU
su.qtz4i
WelaV
Z3bDUQdqIu_VI
Zhi
CkaL
kqsobR
QfXa
_miI
\aiI
BVqtr4i\l
Kuqt
.newsec
.reloc
.data
.rdata
.text
Rich


Sorry for the long post guys, please help me out. I'm relatively new to the malware-battling world, so please be patient.

Thanks in advance!
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\Cursors\dvdnet.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\Cursors\tendvd.dll

    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\dvdnet.dll

    O20 - Winlogon Notify: dvdnet - C:\WINDOWS\Cursors\dvdnet.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Vitr, my name is Trevuren and I am a colleague of Cretemonster. He must unavoidably be absent from the forum for an indefinite period of time so I will do my utmost to provide you with the same quality of service as that to which you have become accustomed.

Regards,

Trevuren

  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Topic Resolved based upon PM by victim

Trevuren
  • 0

#5
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP