Dlls missing at start-up after running VundoFix.exe

I was having the same problem as many other people with Avast continuously springing-up message box complaining that some dll was infected by vundo trojan horse. I kept deleting and it would spring-up again. I ran HijackThis but could not interpret the results. Then I ran VundoFix.exe and it seems to have fixed the problem except that starting windows now leads to two more missing dll message boxes that before. The following 4 dlls are missing:
hqmyxdof.dll,
iifcCvtU.dll,
xxyvwWoO.dll and
rQHYSjii.dll

The log from HijackThis looked like below. Can someone help me get rid of these messages? Thanks a lot. Btw I’m copying only the entries that list the missing dlls.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:41 AM, on 28/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

O4 - HKLM..\Run: [MSServer] rundll32.exe C:\Windows\system32\rQHYSjii.dll,#1
O4 - HKCU..\Run: [MSServer] rundll32.exe C:\Users\User\AppData\Local\Temp\xxyvwWoO.dll,#1
O4 - HKCU..\Run: [cmds] rundll32.exe C:\Users\User\AppData\Local\Temp\iifcCvtU.dll,c
O4 - HKCU..\Run: [BMcf0eb045] Rundll32.exe “C:\Users\User\AppData\Local\Temp\hqmyxdof.dll”,s

Hi. That part of the log does not show the files as missing. You should re-run hijackthis and post the entire log. There may be more in the other lines.


Welcome to the forums, Rehan.

Please do as oldman has suggested … run HJT again and then post the complete log using more than one posting or put the log in as an attachment.


Ok thanks for the feedback. Attached is the newly generated hijackthis log file.

Rehan

Hi folks. I’m still getting the dll missing messages. Could someone look the HijackThis log file that I had attached in my previous message and help me understand the situation better?

Thanks a million for your help
Rehan

Your log seems to be missing some lines.

Take a look at the log here:

http://forum.avast.com/index.php?topic=35953.msg301799;topicseen#msg301799

Yours jumps straight from running entries to 016 entries.

Weird. ???

I ran it again and now it has more lines. What do you think?

Thanks a lot
Rehan

You are still infected.

You will have to disable some antispywar programs first.
Spybot’s teatimer, windows defender and Spyware Guard. Possibly adaware, depending on which features you have enabled.

Info and instuctions can be found here
http://www.bleepingcomputer.com/forums/topic114351.html

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AND

Superantispyware, get the free version.
http://www.superantispyware.com

First update SAS then set it up

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

  • CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

Post both logs and a new HJT log

Thanks for your feedback. I did all the cleaning and regenerated a HijackThis log file, which is attached to this mail. Do you think my system is clean now?

Thanks a lot for your help
Rehan

Your log certainly looks better. Any lingering symptoms?

No symptoms at all.

Thanks
Rehan

Which program found/removed the malware?

I think the malware was actually removed before by running SpywareGuard, Ad-Aware, Spybot and VundoFix.exe, but at start-up, the system was still looking for those dlls. Using System Configuration utility and registry cleaner, I removed the entries for those faulty dlls and that was it.

Thanks
Rehan


Thanks for the feedback, Rehan. :slight_smile:

We are glad all is better with your computer.

Please come back often, learn more, and maybe help others.