2 DLLs missing when booting

[pfgbel]

Hello !
I am quite new with Avast software but already very happy with it as it removed viruses that were never "seen" before with another software !
However after the virus were removed, when I rebooted the pc 2 DLLs files are mentionned as being missing.
These are kozodobe.dll and kefuguhi.dllA small window opens and mentions they are missing.
Is this only because the registers were not cleaned ?
A solution would be welcome !

Thanks a lot in advance,
Pol

[CharleyO]

***

Be glad these 2 are missing as I do not think you want either of these on your computer.

For kozodobe.dll ......

The filename is associated with the malware groups:
Fraudulent Security Program
Malware Downloader
Cloaked Malware
http://www.prevx.com/filenames/174276329779308531-X1/KOZODOBE2EDLL.html

For kefuguhi.dll ......

The filename is associated with the malware groups:
Fraudulent Security Program
Cloaked Malware
http://www.prevx.com/filenames/X13932242975903373-X1/KEFUGUHI2EDLL.html

The question is why they were there in the first place?

Please download HijackThis from the link below. Do not download HJT to the desktop but instead download it into it's own folder on the hard drive.

Run the program but do not make any fixes and then post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted.

OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box.  Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/ 


***

[pfgbel]

Thank you for your help offer CharleyO !
Here are (enclosed file) the logfil you asked.

Thank you !
Pol

[CharleyO]

***

It is nice to see the below as it is often that they are not up to date.

Platform: Windows XP SP3 (WinNT 5.01.2600)      
   
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

~~~~~~~~~~~~

Here are the problem entries:

O2 - BHO: (no name) - {76a9a7ec-1c22-4bb4-8f48-4f48495cc1e1} - C:\WINDOWS\system32\gopikobi.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. This is related to the other 2 files listed above.
See ... http://www.prevx.com/filenames/16749204660543537-X1/GOPIKOBI2EDLL.html

O4 - HKLM\..\Run: [CPM0fd7dbe0] Rundll32.exe "c:\windows\system32\kefuguhi.dll",a
Unknown application which is related to the file mentioned my last post.

O4 - HKLM\..\Run: [kifelopeya] Rundll32.exe "C:\WINDOWS\system32\kozodobe.dll",s
Unknown application which is related to the file mentioned my last post.

O4 - HKUS\S-1-5-19\..\Run: [kifelopeya] Rundll32.exe "C:\WINDOWS\system32\kozodobe.dll",s (User 'SERVICE LOCAL')
Unknown application which is related to the file mentioned my last post.

O20 - AppInit_DLLs: c:\windows\system32\kefuguhi.dll,C:\WINDOWS\system32\tojowebo.dll
Unknown application which is related to the file mentioned my last post.

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kefuguhi.dll (file missing)
Unknown application which is related to the file mentioned my last post.

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kefuguhi.dll (file missing)
Unknown application which is related to the file mentioned my last post.


So, yes, the registry entries were not removed causing the small window to open.
To fix these unneeded entries, follow the below steps:

1 - Ensure that all other windows & programs are closed/not running.

2 - Run HJT again.

3 - When the log is presented, click the box to the left of the entries in the above listing.

4 - At the bottom, click the "Fix checked" button.

5 - Wait for it to finish it's work and then restart your computer.

On restart, you should no longer get the small window.
Please let me know the results.


***

[pfgbel]

Thank you so much CharleyO,
The result is now perfect after I followed your recommandations 

Thank you too for your remark about my computer state (up to date), I try indeed to keep it that way all the time, I think many problems can be avoided this way.

friendly,
Pol

[CharleyO]

***

You are most welcome, Pol, as I am happy to have helped you.   

Yes, many problems are avoided when the computer is kept up to date.

A belated welcome to the forums for you.   

Please come back often, learn more, and maybe help others.


***

[pfgbel]

Hello CharleyO,
Thank you for your kind words 

I wouldn't like you to spend too much time for me because others also need your help, so just in a few words:

I am about to instal Avast on my main computer at home, but I had like first to remove a problem I have in it with SVCHOST.EXE considered by my previous antivirus software as dangerous (what follows "svchost.exe" in fact !)
Enclosed the logfile generated with hijackthis
The window alert of my future ex-antivirus ... cannot be sent, unfortunaly (highly exceeds 200kb !) but it "says" object: C:\System Volume Information\_restore{D0128875-862B-4C8...\A0147088.exe and An event happened on a file modified by the application C:\WINDOWS\SYSTEM32\svchost.exe

Thanks in advance for your help !

friendly,
Pol

[CharleyO]

***

Sorry for the delay of an answer.

A0147088.exe is related to your recent infection with C:\System Volume Information\_restore{D0128875-862B-4C8...\A0147088.exe being in system restore (System Volume Information). It would be my suggestion to turn off system restore, restart your computer, and then turn on system restore again to set a new restore point.

An analysis of your latest HJT this log had only 3 questionable entries.
My research shows that there might be nothing wrong if you know these programs and web sites.

O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
http://www.threatexpert.com/files/shrink_pic.exe.html
If the program Shrink Pic is known to you, it should be OK. If not, then it can be fixed.

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://colruyt.fujiprint.be/Colruyt/UserControls/Part/Upload/ImageUploader5.cab
http://www.siteadvisor.com/sites/fujiprint.be/downloads/17119344/
If you know and trust the site colruyt.fujiprint.be, then this one should be OK. If not, then it should be fixed.

O16 - DPF: {DC6FEBC5-0A2D-458A-A01B-5DB15EEC4305} (IlosoftImageUploadCtl Class) - http://webc.geosolve.be/controls/IlosoftImageUpload.dll
http://www.runscanner.net/fileinfo/iLoader.ocx.html
If you know and trust the site webc.geosolve.be, then this one should be OK. If not, then it should be fixed.

Other than the above entries, your HJT log was near perfect.

I hope this helps.


***

[Eddy]

O16 - DPF are recently Downloaded Program File. It is just a list. Just fix/remove them all to cleanup your registry a bit.

[CharleyO]

***

Thanks for the input, Eddy.   


***

[pfgbel]

Many thanks to both of you !
I corrected the problem in the "restore", it is now ok and the other programs/websites are indeed known, one of them being my personal website dedicated to photography (www.geosolve.be) you may want to have a look... 
The problems are now completely solved !!
Have a good night 

friendly,
Pol

[Eddy]

Slaap lekker en een fijn weekend :-)

[CharleyO]

***

You are welcome, Pol, and I am happy that all is solved now.   

Hope you have a great weekend!


***