20 replies to this topic

[betsykk]

Here's the original message:

http://www.winfixer....7&lid=error win

and here's a copy of hijack this log:

ogfile of HijackThis v1.99.1
Scan saved at 9:26:16 AM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\windows\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Labtec\Mouse\2.1\moffice.exe
C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Labtec\Mouse\2.1\MOUSE32A.EXE
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\windows\System32\svchost.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...ast?query=23068
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.visi.net"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\windows\system32\ssttq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective....torLauncher.cab
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Keynote Connector Launcher) - http://xms.keynote.c...torLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D888586-0A31-42F3-866D-363F79EABC9F}: NameServer = 209.163.125.3 209.163.126.3
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttq - C:\windows\system32\ssttq.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\windows\system32\drivers\KodakCCS.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\windows\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I would appreciate any and all help!!!!!!
Liz

[pskelley]

Hello Liz and welcome to TomCoyote forums. If you still need help, this is the Vundo trojan and you can remove it if you will follow the directions.

First: You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas....nsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas....tehjtfolder.htm

Thanks to Atribune and any others who helped with this fix

Please print these instructions out for use in Safe Mode.

Please download

VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

  
  
• At this point press enter one time.
  
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\windows\system32\ssttq.dll
  
  
• Press Enter to continue with the fix.
  
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):C:\windows\system32\qttss.*
  This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\windows\system32\ssttq.dll
  O20 - Winlogon Notify: ssttq - C:\windows\system32\ssttq.dll
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

We will have more to do.

Thanks...pskelley
TomCoyote forum
Expert Member

Edited by pskelley, 30 December 2005 - 07:40 PM.

[betsykk]

Thanks for the quick reply. Unfortunately you are speaking to the functionally illiterate computer wise. I attempted to put my computer in safe mode. After pressing F8 and putting it in safe mode and putting it in XP mode I didnt' get much farther. The black screen says Safe Mode Windows XP...but I can go no further. I know it said it could take awhile to come on but I walked away for 2 hrs and the screen stayed the same. There are no folders for me to click on..just the black screen. I'm not sure what to do at this point and appreciate further instructions. Thanks!!!!! Liz

[pskelley]

I will post some links with visuals, but unfortunately this is a nasty trojan and this fix needs to be run as posted.

How to start in Windows XP in safe mode, different sites showing how to do this.
http://www.bleepingc...tutorial61.html
http://service1.syma...src=sec_doc_nam
http://www.computerh...sues/chsafe.htm

My one suggestion would be to ask someone you know with more computer experience to lend a hand.

Thanks...pskelley

[betsykk]

LOL! Will do!!...it might take me a few days but I will find someone and go through the steps and then post. thanks!

[pskelley]

Hey Liz, Have you resolved your issues? I have not heard from you since 1/1. I have come up a fix for Vundo that is easier to do if you still have the problem. If you do and want me to post this fix, post a new HJT log since so much time has gone by. If I do not hear from you I will close this topic in 24 hours. Thanks...Phil

[betsykk]

I am sooo sorry not to respond sooner. Frankly, I have been pretty intimidated by the entire process so stuck my head in the sand and did nothing. I will gladly accept your new offer of help. Unfortunately my dedicated phone line went out today so I don't want to spend the time working on it tonight and use up my other phone (dial up is sloooow here!). I will copy it again and post it for you tomorrow if Verizon arrives early enough...Friday if not. Thanks again! Liz

[betsykk]

Thanks again for your help!

Logfile of HijackThis v1.99.1
Scan saved at 6:14:56 AM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\windows\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Labtec\Mouse\2.1\moffice.exe
C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Labtec\Mouse\2.1\MOUSE32A.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\windows\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ST6BOL23\HijackThis[1].exe
C:\windows\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...ast?query=23068
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.visi.net"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\windows\system32\ssttq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective....torLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136209821500
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Keynote Connector Launcher) - http://xms.keynote.c...torLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D888586-0A31-42F3-866D-363F79EABC9F}: NameServer = 209.163.125.3 209.163.126.3
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttq - C:\windows\system32\ssttq.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\windows\system32\drivers\KodakCCS.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\windows\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[pskelley]

Hi Liz, Let's see if you and I can clean this up together. First, do not look at the earlier Vundo instructions, we will try a different, new method. Even though we will may not be using HJT, I would still like to put it where it belones. Let me try that first, then I will give you the tool to remove Vundo.

Here is where HJT is now:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ST6BOL23\HijackThis[1].exe It is residing in your Temporary Internet Files and if you should delete them, we would loose backups if we need them. Here is what I would like you to do:
Open the MyComputer Icon which should be on the Desktop. It may take one or two clicks depending on how it is set. Once it opens, look for the Local Disk (C:) and click it to open it. Now you see a bunch of yellow folders and we want to make a new one. Point your mouse at a blank spot and right click, then scroll down to NEW and click it, the next menu at the top, click on FOLDER. Now you have a new folder with blue in the box under it. Type HJT in that box. Now we must get HJT.exe. On that same C:\ drive look for a folder called: Documents and Settings, open that folder and look for a folder called: Owner. Open that folder and look for one called: Local Settings, open that folder and look for: Temporary Internet Files, open that
folder and look for: Content.IE5. Open that folder and you will see the HJT.exe. Point your mouse at the HJT.exe and right click it, then go down to the word CUT and click it. Now you have HJT.exe on the clipboard. Close all the folders back to the C:\ drive and find the HJT folder and open it. Once it is open, and it is empty, point the mouse at the folder and right click then click on Paste. Now HJT.exe should be in that folder. You can also move the HJT log in your TIF folders to this one if you wish. You can do this, just take your time

Now let's kill that Vundo trojan:

Please start by downloading VirtumundoBegone here: http://secured2k.hom...mundoBeGone.exe and save it to your desktop.

When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply. Please also post a new HJT log so I can make sure the trojan is gone.

Thanks...Phil

[betsykk]

Ok..I have run into a slight problem. When I open the Owner file, there is no folder that says "Local Settings". I have 6 folders: Start menu, windows, My documents, User Data, Desk Top and Cookies, along with several drafts.snm, trash.snm. Please advise!

[pskelley]

Hi Liz, here is the path which is showing in the last HJT log you sent me:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ST6BOL23\HijackThis[1].exe

On this day: Today, 06:18 AM

1) C:\Documents and Settings\

2) Owner\

3) Local Settings\

4) Temporary Internet Files\

5) Content.IE5\

6) HijackThis[1].exe

This is the information you sent me, there could be slight differences and sometimes HJT will shorten the name of a folder, but the difference should not be so great that you can not follow the path to HJT.exe.
Whether you do this or not will not effect your ability to use the next step to remove the trojan, this is just for future safety. If you can not do it then move on to the Vundo removal.

Thanks...Phil

[betsykk]

Phil, When I go into Owner, and click on the folder labeled My documents, there is a document there called Hijack this, which has the info on Notepad? Is this what you are talking about and should I move that to the new folder I created? Thank you for your extreme patience! Liz

[pskelley]

No Liz, do not confuse MyDocuments with Documents and Setting. You must look for and open them in the numbered order. In the Owner (and this might be your name, you are the owner, on my computer OWNER is my name) folder the next one to open is Local Settings\ When you get to HJT it will look like this: HijackThis[1].exe

[betsykk]

Is this right? It doesn't say vbg.txt on my desktop but it does have vbg and a notepad and this is what shows up when I click on it: [01/12/2006, 10:17:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T3J7D14A\VirtumundoBeGone[1].exe" ) [01/12/2006, 10:17:54] - Detected System Information: [01/12/2006, 10:17:54] - Windows Version: 5.1.2600, Service Pack 2 [01/12/2006, 10:17:54] - Current Username: Owner (Admin) [01/12/2006, 10:17:54] - Windows is in NORMAL mode. [01/12/2006, 10:17:54] - Searching for Browser Helper Objects: [01/12/2006, 10:17:54] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [01/12/2006, 10:17:54] - BHO 2: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class) [01/12/2006, 10:17:54] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard) [01/12/2006, 10:17:54] - BHO 4: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} (ATLDistrib Object) [01/12/2006, 10:17:54] - ALERT: Found ATLDistrib Object! [01/12/2006, 10:17:54] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper) [01/12/2006, 10:17:54] - BHO 6: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor) [01/12/2006, 10:17:54] - BHO 7: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class) [01/12/2006, 10:17:54] - Finished Searching Browser Helper Objects [01/12/2006, 10:17:54] - *** Detected ATLDistrib Object [01/12/2006, 10:17:54] - Trying to remove ATLDistrib Object... [01/12/2006, 10:17:55] - Terminating Process: IEXPLORE.EXE [01/12/2006, 10:18:00] - Terminating Process: RUNDLL32.EXE [01/12/2006, 10:18:00] - Disabling Automatic Shell Restart [01/12/2006, 10:18:00] - Terminating Process: EXPLORER.EXE [01/12/2006, 10:18:02] - Suspending the NT Session Manager System Service [01/12/2006, 10:18:02] - Terminating Windows NT Logon/Logoff Manager [01/12/2006, 10:18:04] - Re-enabling Automatic Shell Restart [01/12/2006, 10:18:04] - File to disable: C:\windows\system32\ssttq.dll [01/12/2006, 10:18:04] - Renaming C:\windows\system32\ssttq.dll -> C:\windows\system32\ssttq.dll.vir [01/12/2006, 10:18:05] - ! File rename was unsucessful. [01/12/2006, 10:18:05] - Attempting to Deny Access to C:\windows\system32\ssttq.dll [01/12/2006, 10:18:05] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work. [01/12/2006, 10:18:05] - processed file: C:\windows\system32\ssttq.dll [01/12/2006, 10:18:05] - *** IMPORTANT: The file is disabled and will need to be deleted by the user. [01/12/2006, 10:18:06] - Removing HKLM\...\Browser Helper Objects\{93C6313C-9DB4-4694-8BD0-E378C573A9AD} [01/12/2006, 10:18:06] - Removing HKCR\CLSID\{93C6313C-9DB4-4694-8BD0-E378C573A9AD} [01/12/2006, 10:18:06] - Adding Kill Bit for ActiveX for GUID: {93C6313C-9DB4-4694-8BD0-E378C573A9AD} [01/12/2006, 10:18:06] - Deleting ATLEvents/MSEvents Registry entries [01/12/2006, 10:18:06] - Removing HKLM\...\Winlogon\Notify\ssttq [01/12/2006, 10:18:07] - Searching for Browser Helper Objects: [01/12/2006, 10:18:07] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [01/12/2006, 10:18:07] - BHO 2: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class) [01/12/2006, 10:18:07] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard) [01/12/2006, 10:18:07] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper) [01/12/2006, 10:18:07] - BHO 5: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor) [01/12/2006, 10:18:07] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class) [01/12/2006, 10:18:07] - Finished Searching Browser Helper Objects [01/12/2006, 10:18:07] - Finishing up... [01/12/2006, 10:18:07] - A restart is needed. [01/12/2006, 10:18:14] - Attempting to Restart via STOP error (Blue Screen!) [01/12/2006, 10:29:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" ) [01/12/2006, 10:29:13] - Detected System Information: [01/12/2006, 10:29:13] - Windows Version: 5.1.2600, Service Pack 2 [01/12/2006, 10:29:13] - Current Username: Owner (Admin) [01/12/2006, 10:29:13] - Windows is in NORMAL mode. [01/12/2006, 10:29:13] - Searching for Browser Helper Objects: [01/12/2006, 10:29:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [01/12/2006, 10:29:13] - BHO 2: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class) [01/12/2006, 10:29:13] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard) [01/12/2006, 10:29:13] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper) [01/12/2006, 10:29:13] - BHO 5: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor) [01/12/2006, 10:29:13] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class) [01/12/2006, 10:29:13] - Finished Searching Browser Helper Objects [01/12/2006, 10:29:14] - Finishing up... [01/12/2006, 10:29:14] - Nothing found! Exiting... [01/12/2006, 10:37:00] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" ) [01/12/2006, 10:37:03] - Detected System Information: [01/12/2006, 10:37:03] - Windows Version: 5.1.2600, Service Pack 2 [01/12/2006, 10:37:03] - Current Username: Owner (Admin) [01/12/2006, 10:37:03] - Windows is in NORMAL mode. [01/12/2006, 10:37:03] - Searching for Browser Helper Objects: [01/12/2006, 10:37:03] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [01/12/2006, 10:37:03] - BHO 2: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class) [01/12/2006, 10:37:03] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard) [01/12/2006, 10:37:03] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper) [01/12/2006, 10:37:03] - BHO 5: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor) [01/12/2006, 10:37:03] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class) [01/12/2006, 10:37:03] - Finished Searching Browser Helper Objects [01/12/2006, 10:37:03] - Finishing up... [01/12/2006, 10:37:03] - Nothing found! Exiting...

[pskelley]

I need to see a new HJT log.