Virtumondo Need Help Removing

Comments

• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Please print these instructions out for use in Safe Mode.
  
  Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk.

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    
    
    C:\WINDOWS\system32\jkhfc.dll

  
  
  [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  [*] Next you will see:

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  [*]At this point please type the following file path (make sure to enter it exactly as below!):
  
  

  C:\WINDOWS\system32\cfhkj.*
  
  
  
  [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
  [*]The fix will run then HijackThis will open.
  [*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
  
  

  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  
  
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\jkhfc.dll
  
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
  
  O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
  O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
  O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
  O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll
  
  
  
  [*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  [*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  [*]Once your machine reboots please continue with the instructions below.
  
  
  Then, please run this online virus scan: ActiveScan
  
  Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

  0
• cny_af32d

  October 2005 edited October 2005

  Thanks for the help.
  
  The first thing I would like to point out is I never got a chance to type in the second filepath of C:\WINDOWS\system32\cfhkj.* because when I pressed Enter, F6 and Enter again it launched right in to HijackThis.
  
  Here is the ActiveScan txt file results:
  
  Incident Status Location
  
  Spyware:spyware/virtumonde No disinfected Windows Registry
  Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljjh.dll
  Virus:Exploit/URLSpoof Disinfected Local Folders\Inbox\eBay Account Upgrade[~0000000.~]
  New HijackThis Log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 11:05:07 PM, on 10/29/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\WINDOWS\ehome\ehSched.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\windows\system\hpsysdrv.exe
  C:\WINDOWS\System32\hphmon05.exe
  C:\HP\KBD\KBD.EXE
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  C:\Program Files\Multimedia Card Reader\shwicon2k.exe
  C:\WINDOWS\system32\hplampc.exe
  C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
  C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
  C:\Program Files\Winamp\Winampa.exe
  C:\WINDOWS\ALCXMNTR.EXE
  C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Microsoft Money\System\reminder.exe
  C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  C:\Program Files\Handspring\HOTSYNC.EXE
  C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  C:\Program Files\Microsoft Office\Office\OSA.EXE
  C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
  C:\WINDOWS\ehome\ehmsas.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\WINDOWS\system32\NOTEPAD.EXE
  C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\mllmj.dll
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
  O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
  O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
  O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
  O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
  O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
  O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
  O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
  O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
  O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
  O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
  O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
  O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
  O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
  O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
  O4 - Global Startup: Adobe Gamma Loader.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
  O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
  O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
  O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
  O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll (file missing)
  O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
  O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
  O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  
  
  vundofix.txt file:
  
  VundoFix V2.15 by Atri

  ---

  
  Listing files contained in the vundofix folder.

  ---

  
  killvundo.bat
  process.exe
  ReadMe.txt
  vundo.reg
  vundofix.txt
  

  ---

  
  Filepaths entered

  ---

  
  The filepath entered was c:\windows\system32\jkhfc.dll
  
  The second filepath entered was
  

  ---

  
  Log from Process

  ---

  
  
  Killing PID 160 'smss.exe'
  
  Killing PID 864 'explorer.exe'
  Killing PID 864 'explorer.exe'
  Killing PID 864 'explorer.exe'
  
  
  Killing PID 256 'winlogon.exe'

  ---

  
  c:\windows\system32\jkhfc.dll Deleted sucessfully.
  
  Fixing Registry

  ---

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Looks like you have a few instances of vundo there. Can you repeat the steps for all the below, one at a time, fix with hijackthis and post another log.
  
  C:\WINDOWS\system32\mllmj.dll
  
  C:\WINDOWS\system32\jmllm.*
  
  then;
  
  C:\WINDOWS\system32\sstqn.dll
  
  C:\WINDOWS\system32\nqtss.*
  
  then;
  
  C:\WINDOWS\system32\vturs.dll
  
  C:\WINDOWS\system32\srutv.*
  
  =
  
  Don't forget to fix the entries in the hijackthis log in between.

  0
• cny_af32d

  October 2005 edited October 2005

  Crunchie,
  
  It was getting late last night so I gave up and went to bed. I did what you said above and it's still there.
  
  Here is the ActiveScan result:
  
  
  Incident Status Location
  Adware:adware/gator No disinfected Windows Registry
  Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljjh.dll
  
  Here is the HijackThis Log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 2:06:08 PM, on 10/30/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\system32\spoolsv.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\WINDOWS\ehome\ehSched.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\ehome\ehtray.exe
  C:\windows\system\hpsysdrv.exe
  C:\WINDOWS\System32\hphmon05.exe
  C:\HP\KBD\KBD.EXE
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  C:\Program Files\Multimedia Card Reader\shwicon2k.exe
  C:\WINDOWS\system32\hplampc.exe
  C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
  C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
  C:\Program Files\Winamp\Winampa.exe
  C:\WINDOWS\ALCXMNTR.EXE
  C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Microsoft Money\System\reminder.exe
  C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
  C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  C:\Program Files\Handspring\HOTSYNC.EXE
  C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  C:\Program Files\Microsoft Office\Office\OSA.EXE
  C:\WINDOWS\ehome\ehmsas.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
  C:\WINDOWS\system32\NOTEPAD.EXE
  C:\Program Files\Common Files\Real\Update_OB\realevent.exe
  C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\vturs.dll (file missing)
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
  O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
  O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
  O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
  O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
  O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
  O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
  O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
  O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
  O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
  O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
  O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
  O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
  O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
  O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
  O4 - Global Startup: Adobe Gamma Loader.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
  O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
  O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
  O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
  O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll (file missing)
  O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
  O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll (file missing)
  O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  
  Here is the vundofix.txt file:
  
  VundoFix V2.15 by Atri

  ---

  
  Listing files contained in the vundofix folder.

  ---

  
  killvundo.bat
  process.exe
  ReadMe.txt
  vundo.reg
  vundofix.txt
  

  ---

  
  Filepaths entered

  ---

  
  The filepath entered was c:\windows\system32\jkhfc.dll
  
  The second filepath entered was c:\windows\system32\cfhkj.*
  

  ---

  
  Log from Process

  ---

  
  
  Killing PID 160 'smss.exe'
  
  Killing PID 820 'explorer.exe'
  
  
  Killing PID 256 'winlogon.exe'

  ---

  
  c:\windows\system32\jkhfc.dll Deleted sucessfully.
  c:\windows\system32\cfhkj.* Deleted sucessfully.
  
  Fixing Registry
  
  Note I did run the tool on the vturs.dll and sstqn.dll as well from safe mode but didn't copy and paste the vundofix.txt each time.

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Can you please do the following.
  
  ===============
  
  Run HiJackThis, click "Scan", then check(tick) the following, if present:
  
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
  
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\vturs.dll (file missing)
  
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
  
  O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
  O4 - Global Startup: Adobe Gamma Loader.lnk = ?
  
  O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll (file missing)
  O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
  O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll (file missing)
  O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)
  
  
  Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
  
  ===============
  
  Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
  
  Search for...
  
  ALCXMNTR.EXE
  
  ...using "Start | Search...".
  
  -
  
  Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
  
  -
  
  Reboot.
  
  ===============
  
  After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

  0
• cny_af32d

  October 2005 edited October 2005

  Crunchie,
  
  I think you got it this time. I ran Microsoft AntiSpyware and it ran clean this time. The HijackThis log is below.
  
  The next question is there a tool I should be running to keep this off my PC in the future?
  
  Thank you for all of the help.
  
  Logfile of HijackThis v1.99.1
  Scan saved at 4:32:59 PM, on 10/30/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\system32\spoolsv.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\WINDOWS\ehome\ehSched.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\ehome\ehtray.exe
  C:\windows\system\hpsysdrv.exe
  C:\WINDOWS\System32\hphmon05.exe
  C:\HP\KBD\KBD.EXE
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  C:\Program Files\Multimedia Card Reader\shwicon2k.exe
  C:\WINDOWS\system32\hplampc.exe
  C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
  C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
  C:\Program Files\Winamp\Winampa.exe
  C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Microsoft Money\System\reminder.exe
  C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  C:\Program Files\Handspring\HOTSYNC.EXE
  C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  C:\Program Files\Microsoft Office\Office\OSA.EXE
  C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\WINDOWS\ehome\ehmsas.exe
  C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
  O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
  O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
  O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
  O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
  O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
  O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
  O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
  O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
  O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
  O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
  O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
  O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
  O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
  O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
  O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
  O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
  O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  cny_af32d wrote:

  The next question is there a tool I should be running to keep this off my PC in the future?

  
  Not that I know of, except for try using another browser such as Opera or Firefox.
  
  ==
  
  Congratulations! Your log looks clean - good work!
  
  ===============
  
  Now that your PC is clean you need to follow these easy steps to keeping it this way:
  
  Secure your Internet Explorer by going here and following the instructions there.
  
  Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
  
  Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
  
  Install and keep updated, Ad-Aware SE, and Spybot S&D.
  Run them both on a regular basis, following the manufacturer's recommendations.
  
  Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
  
  Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
  
  
  Clear your Temp folders.
  Clear out your Temporary internet files and other temp files.
  Go to Start > Settings > Control Panel >Internet Options.
  Under the General tab click the Delete temporary internet files,
  delete all Offline content as well. Clear out Cookies.
  
  Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
  
  Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
  
  C:\Documents and Settings\username\Local Settings\Temp\
  
  In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
  
  Empty the Recycle Bin.
  
  For XP users.
  After something like this it is a good idea to Flush the Restore Points and start fresh.
  To flush the XP system Restore Points.
  
  Go to Start>Run and type msconfig. Press enter.
  
  When msconfig opens, click the Launch System Restore Button.
  On the next page, click the System Restore Settings link on the left.
  
  Check the box labelled 'Turn off System restore'.
  
  Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
  
  Note that all previous restore points will be lost.
  
  ===============
  
  If everything is running ok, let's do the final cleanup...
  
  ===============
  
  1. Run "Disk Cleanup" and allow it to remove everything it finds.
  
  2. If you've downloaded MicroWorld AV (MWAV), run it again - but don't scan, just click "Clear Log" and exit the program.
  
  3. Go to www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan".
  
  4. Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.
  
  5. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
  
  ===============
  
  If you have any more problems, post back.
  
  -
  
  Happy surfing,
  
  crunchie.

  0
• trollspinky

  November 2005 edited November 2005

  I have Norton Antivirus and it says i am infected with Trojan.Vundo.B in my C:\WINDOWS\system32\sstqn.dll file. I am not exactly sure what to do, even though you explained it above. Because I don't want to damage my computer, I thought I would ask first (because the instructions above are not specifically for sstqn.dll). Thank you.

  0
• trollspinky

  November 2005 edited November 2005

  I just tried what you said above. When I typed in the first prompt, it said it could not locate Hijack This. Now What??????

  0
• Crunchie Mandurah. Western Australia. Member

  November 2005 edited November 2005

  Install hijackthis (or download it from our security section) and run it from a permanent folder.
  Start your own thread and post your log there.

  0