virus gone (?)...now getting RUNDLL errors on startup

hi everybody!

i’ve spent the better part of 2 days attempting to clean my computer of what appeared to be several viruses/trojans/rootkits, etc. it all started a couple weeks ago when i visited a formerly safe and normal website (orchid message board) that had apparently been hijacked or infected. avast went crazy, telling me things were being blocked and viruses were being found. i quickly left the site, but apparently things followed me.

for a while, i was getting abnormal popups and browser search redirects, which prompted me to do some research. i originally found some versions of alureon/tdss and worked to clean those out (using tdsskiller, etc). subsequent scans with avast also found junk in the _restore files, which were moved to chest and then rescanned to find nothing. then, i did a boot-time scan, which pulled up 5 corrupted java files, infected with Java:Djewers-T , Java:Gimsh-B , and Java:Agent-S. all these were also moved to chest. on subsequent scans with avast, i have come up clean.

i also did a disable system restore/scan/reinable on the system. scans with both ad-aware and malwarebytes find nothing. i updated java runtime environment as well. browser seems to be running ok now, but the issue lies on bootup.

on start, i get a couple RUNDLL error popups. “error loading c:\windows\jewesusf.dll the specified module could not be found” and also one for c:\windows\ewajililunutow.dll. the first (jewesusf.dll) i assume is related to the Java:Djewers-T infection the boot scan found. not sure about the second. what can be done about these errors?

i’m running XP, avast 5.0.594, MBAM 1.46. if you need any more info from me or any logs, please let me know.

Follow this guide from Essexboy and post the logs here
http://forum.avast.com/index.php?topic=53253.0

lower left corner: + Additional Options > Attach > ( MBAM scan log / OTL.Txt and Extras.Txt. )

here ya go. hopefully i did the attachments correctly. and despite the fact MBAM says i’m using IE, i’m actually running firefox as my default browser. haven’t used or updated IE in forever.

Do this and let me of any problems on completion

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\xzkwcqeh.sys -- (xzkwcqeh)
O3 - HKU\S-1-5-21-1275210071-1078081533-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1275210071-1078081533-839522115-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [Fhimelehiz] C:\WINDOWS\ewajililunutow.DLL File not found
O4 - HKU\S-1-5-21-1275210071-1078081533-839522115-1003..\Run: [Hfelisukinas] C:\WINDOWS\jewesusf.DLL File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: Backgammon by pogo http://game1.pogo.com/applet-6.6.5.22/backgammon/backgammon-en_US.cab (Reg Error: Key error.)
O16 - DPF: Blooop by pogo http://game1.pogo.com/applet-6.7.0.40/cascade/cascade-en_US.cab (Reg Error: Key error.)
O16 - DPF: Checkers by pogo http://game1.pogo.com/applet-6.6.5.31/checkers2/checkers-en_US.cab (Reg Error: Key error.)
O16 - DPF: Dice Derby by pogo http://game1.pogo.com/applet-6.7.2.24/checkeredflag/checkeredflag-en_US.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: First Class Solitaire by pogo http://game1.pogo.com/applet-6.7.2.24/firstclass2/firstclass2-en_US.cab (Reg Error: Key error.)
O16 - DPF: Hearts by pogo http://game1.pogo.com/applet-6.6.4.29/hearts/hearts-en_US.cab (Reg Error: Key error.)
O16 - DPF: Lost Temple Poker by pogo http://game1.pogo.com/applet-6.6.5.31/mhpoker/mhpoker-en_US.cab (Reg Error: Key error.)
O16 - DPF: Mah Jong Garden by pogo http://game1.pogo.com/applet-6.6.5.31/mahjong/mahjong-en_US.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Multiline Slots by pogo http://game1.pogo.com/applet-6.7.1.33/mlslots/mlslots-en_US.cab (Reg Error: Key error.)
O16 - DPF: Payday FreeCell by pogo http://game1.pogo.com/applet-6.7.1.23/freecell/freecell-en_US.cab (Reg Error: Key error.)
O16 - DPF: Phlinx by pogo http://game1.pogo.com/applet-6.7.2.24/flinger/flinger-en_US.cab (Reg Error: Key error.)
O16 - DPF: Pop Fu by pogo http://game1.pogo.com/applet-6.6.5.22/popfu/popfu-en_US.cab (Reg Error: Key error.)
O16 - DPF: PoppaZoppa by pogo http://game1.pogo.com/applet-6.6.5.31/poppazoppa/poppazoppa-en_US.cab (Reg Error: Key error.)
O16 - DPF: Poppit by pogo http://game1.pogo.com/applet-6.7.2.24/poppit2/poppit2-en_US.cab (Reg Error: Key error.)
O16 - DPF: Shuffle Bump by pogo http://game1.pogo.com/applet-6.7.0.32/puck/puck-en_US.cab (Reg Error: Key error.)
O16 - DPF: Stellar Sweeper by pogo http://game1.pogo.com/applet-6.7.2.33/sweeper/sweeper-en_US.cab (Reg Error: Key error.)
O16 - DPF: Texas Hold'em Poker by pogo http://game1.pogo.com/applet-6.6.5.31/holdem/holdem-en_US.cab (Reg Error: Key error.)
O16 - DPF: Tri-Peaks by pogo http://game1.pogo.com/applet-6.7.2.24/peaks/peaks-en_US.cab (Reg Error: Key error.)
O16 - DPF: Turbo 21 v2 by pogo http://game1.pogo.com/applet-6.7.2.33/turbo22/turbo22-en_US.cab (Reg Error: Key error.)
O16 - DPF: Wonderland Memories by pogo http://game1.pogo.com/applet-6.7.2.24/memories/memories-en_US.cab (Reg Error: Key error.)
O16 - DPF: Word Whomp by pogo http://game1.pogo.com/applet-6.7.1.33/wordwhomp2/whomp2-en_US.cab (Reg Error: Key error.)
O16 - DPF: Word Whomp Whackdown by pogo http://game1.pogo.com/applet-6.6.5.31/whackdown/whackdown-en_US.cab (Reg Error: Key error.)
O16 - DPF: WordJong by pogo http://game1.pogo.com/applet-6.7.0.40/wordjong/wordjong-en_US.cab (Reg Error: Key error.)
O16 - DPF: World Class Solitaire by pogo http://game1.pogo.com/applet-6.7.1.33/worldclass/worldclass-en_US.cab (Reg Error: Key error.)
[2010/07/02 23:54:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Mhuyes.bin
[2010/07/02 23:54:33 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bnukec.dat

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I was just going to say relax and wait for Essexboy… ;D

hooray! essexboy, you’re a genius! done the above steps, machine reboots perfectly! here’s the OTL scan log also. i’m curious, however…in the custom scan you had me run there, i notice there are lines for all the pogo games on my system. were these deleted? not a big deal at all since i only ever play one game on there anymore and i can always reload it, but i was just curious as to what happened to these, and if they were part of the prolem?

The pogo games were activeX controls that were corrupt - so I just tidied them up, when you play the games again they will download for you as required

That looks ok now - if there are no further problems then run OTL, hit the cleanup button and it will disappear

thanks again for all your help!

Ok I hope this reaches you essexboy… I made some ppl mad by posting in their forum… I know it was stupid to do, but it was where I found your last post. :confused: I’m a female so naturally I’m not as gifted as men with computers lol… Anyway… if you have time to help me with my problem it would be greatly appreciated.

So every time I boot up my computer, it gives me an error message in some RUNDLL box… so I’m pretty sure that is the virus I have… Anyway… I’ve downloaded AVG, Malewarebytes, and OTL and none of them can locate the virus and get it off my computer. AVG spots something and will move it to virus vault but it just comes back the next day. I can’t get on internet explorer or everquestII, but that is the only two I am noticing right now that it isn’t allowing me to get on. Could you please, please help!!

Sorry I posted on that other forum :confused:

To start a new topic, go here ( logged in ) http://forum.avast.com/index.php?board=4.0
in top right corner is a " NEW TOPIC " just under the search

@ Jaaiden follow what Pondus says - attach the OTL logs and put a link to the topic here. I will then have a look see

For some reason it’s saying I’m not allowed to send personal messages. It won’t let me reply to yours at all :confused: I will attach it here for you. Sorry about the PM.

You need 20 posts to be able to use the PM function.

  • The problem comes from drive by spammers, who having registered put objectionable or commercial links in their profile signature to try and gain link promotion, etc.

There have also been cases of the PM function being abused to spam forum members, so you will notice that you can’t use the PM function either.

Unfortunately because of the actions of others legitimate members suffer by the actions to prevent this spamming.

Oh I see! I thought I was doing something wrong so thanks for letting me know! =)

You’re welcome, fortunately the PM function isn’t absolutely essential to resolving your problem.

Here we go - it looks like you have a rootkit

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-1614895754-789336058-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKU\S-1-5-21-1614895754-789336058-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = IE - HKU\S-1-5-21-1614895754-789336058-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643 O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-1614895754-789336058-1801674531-500\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found. O4 - HKLM..\Run: [Rzonibuzix] C:\WINDOWS\esaqayis.DLL File not found O4 - HKLM..\Run: [vngqxmfx] C:\Documents and Settings\Administrator\Local Settings\Application Data\ahuygjice\qhbqvuotssd.exe File not found O4 - HKU\.DEFAULT..\Run: [8JE5UHC6FZ] C:\WINDOWS\TEMP\Jcr.exe File not found O4 - HKU\S-1-5-18..\Run: [8JE5UHC6FZ] C:\WINDOWS\TEMP\Jcr.exe File not found O4 - HKU\S-1-5-21-1614895754-789336058-1801674531-500..\Run: [Amukabobituy] C:\WINDOWS\nomsvpr.DLL File not found O4 - HKU\S-1-5-21-1614895754-789336058-1801674531-500..\Run: [vngqxmfx] C:\Documents and Settings\Administrator\Local Settings\Application Data\ahuygjice\qhbqvuotssd.exe File not found [2010/07/23 21:24:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ahuygjice [2010/08/18 01:39:00 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job [2010/08/17 22:51:39 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\Iwknvzidnk.job [2010/07/29 03:31:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Dxunalosup.bin [2010/07/29 02:26:32 | 000,000,000 | ---- | M] () -- C:\~.exe [2010/07/25 21:05:09 | 000,002,804 | ---- | M] () -- C:\WINDOWS\omuxijum.dll [2010/07/23 21:51:08 | 000,002,804 | ---- | M] () -- C:\WINDOWS\ikekazub.dll [2010/07/23 21:49:03 | 000,002,804 | ---- | M] () -- C:\WINDOWS\uyoteroy.dll [2010/07/23 21:26:58 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ixuhuqoboxebod.dat

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ok I deleted all my anti virus software, but I saw some places on the Combo Fix log that recognized them so I’m not sure… maybe I have to get them out of the recycle bin?

Let me know if I’m posting the right files =)=) And thanks so much for helping me!! It’s amazing how you can figure out what’s wrong with my computer just from the logfiles! I wish I had that sort of talent. =( You are the best!

Ok that is the rootkit gone :wink: Redirects and DLL errors should be gone now

If you are going to uninstall AVG for Avast you will need to use the uninstall tool as there are several drivers/BHO’s active http://www.avg.com/us-en/download-tools

You are two system files missing that I need to find replacements for

[*]Run OTL
[*]Select All Users
[*]Under the Custom Scan box paste this in

/md5start
sfcfiles.dll
wscntfy.exe
/md5stop

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]Post the log on completion

Ok I won’t be home again until tomorrow so I will post the log then ok? :slight_smile: Thanks a bunch!

No problem - when you reply next let me know what problems you have