Vundo -Help (getting lots of pop ups.)

[Kyle]

Was thinking I was done with all this crap but,I let my friend use my PC when I was asleep.
And I guess my AVG running was not a enough for his adult sites...
Anyway...Did all the steps in order.
Here are my logs.


[attachment deleted by admin]

[Kyle]

Also Something pops up saying 'C:/windows/system32/zanamalo.dll' Error when I restart.
And I can not access some sites.(ie: when I did a search for "zanamalo" )

[Kyle]

Here is a log for ComboFix I ran as well.


[attachment deleted by admin]

[CBMatt]

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\system32\bzklha.dll
c:\windows\system32\nozigita.dll
c:\windows\system32\momayabe.dll
c:\windows\system32\pmnmnOhI.dll
c:\windows\system32\zanamalo.dll

Registry::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not click ComboFix's window while it is running. That may cause your system to freeze

[Kyle]

Here is my new log.
Thanks for the help.

[attachment deleted by admin]

[CBMatt]

Open up HijackThis and run another scan.  If you find these entries, place checkmarks next to them:

O2 - BHO: (no name) - {79616925-01c5-4661-a9c8-7bc01833ca57} - C:\WINDOWS\system32\momayabe.dll (file missing)
O2 - BHO: (no name) - {B41AEA4D-CCB2-4B91-9DDF-86B5245E326A} - C:\WINDOWS\system32\pmnmnOhI.dll (file missing)

O4 - HKLM\..\Run: [yemuserihi] Rundll32.exe "C:\WINDOWS\system32\zanamalo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [yemuserihi] Rundll32.exe "C:\WINDOWS\system32\zanamalo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yemuserihi] Rundll32.exe "C:\WINDOWS\system32\zanamalo.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: avgrsstx.dll bzklha.dll crzhlv.dll C:\WINDOWS\system32\nagadogu.dll c:\windows\system32\nozigita.dll

Close all other windows (including this one) and click on Fix Checked.  Then run another scan with HijackThis and post the new log here.

[Kyle]

None of the above there.-No Pop-pops but,still showing some Vundo crap on Search and destroy.
Here is the log.

[attachment deleted by admin]

[CBMatt]

I don't see anything malicious in this new log.  Perhaps you should try ComboFix again (and post a new log).  Can you post a log from Spybot - Search & Destroy?  Perhaps it is merely finding backups or quarantined files...