Virtumonde, Tiny ID......mljkllm.dll? [Archive]

View Full Version : Virtumonde, Tiny ID......mljkllm.dll?

Steffan72

2007-07-19, 10:25

I cannot remove this Malware/Trojan.......I have tried different programs (i.e. symantec virtumonde removal, nod32, vundofix) and deleted registry entries and still the PC registers that I have the Virtumonde in the system. I have run ComboFix, Hijackthis and here are its logs..any help will be greatly appreciated, thanks. :bigthumb:

ComboFix

C:\WINDOWS\system32\goicvljt.dll
C:\WINDOWS\system32\qvptsemx.dll
C:\WINDOWS\system32\hqwhrrto.exe
C:\WINDOWS\system32\vriumwol.exe
C:\WINDOWS\system32\weidoxxs.exe
C:\WINDOWS\system32\ahgccwhw.dll
C:\WINDOWS\system32\elsnkyod.dll
C:\WINDOWS\system32\gbdvudua.dll
C:\WINDOWS\system32\iievykle.dll
C:\WINDOWS\system32\jfledxyc.dll
C:\WINDOWS\system32\mejrkllm.dll
C:\WINDOWS\system32\nysvhdwx.dll
C:\WINDOWS\system32\olmcjtoq.dll
C:\WINDOWS\system32\oxtxgtgl.dll
C:\WINDOWS\system32\puqhwypq.dll
C:\WINDOWS\system32\qqtpgavp.dll
C:\WINDOWS\system32\rtmkgueo.dll
C:\WINDOWS\system32\sxuqlkhs.dll
C:\WINDOWS\system32\tpkorlas.dll
C:\WINDOWS\system32\ttsvgrjw.dll
C:\WINDOWS\system32\uqxeyrod.dll
C:\WINDOWS\system32\vgifysct.dll
C:\WINDOWS\system32\viyubsuj.dll
C:\WINDOWS\system32\vweakrap.dll
C:\WINDOWS\system32\wgevxack.dll
C:\WINDOWS\system32\wglnlyli.dll
C:\WINDOWS\system32\ygymvdqv.dll
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.tmp
C:\WINDOWS\system32\xmestpvq.ini
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.tmp
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.tmp
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\mljkllm.dll
C:\WINDOWS\system32\mljkllm.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\mljkllm.dll
C:\WINDOWS\system32\mljkllm.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bnylqcwh.exe
C:\WINDOWS\system32\bsoplmjr.exe
C:\WINDOWS\system32\cfkfghia.exe
C:\WINDOWS\system32\clyjwdvg.exe
C:\WINDOWS\system32\crxdshha.exe
C:\WINDOWS\system32\dfeayfkx.exe
C:\WINDOWS\system32\eacwhsjs.exe
C:\WINDOWS\system32\efclpxfh.exe
C:\WINDOWS\system32\ehpoosbl.exe
C:\WINDOWS\system32\eqkhlalv.exe
C:\WINDOWS\system32\eswewlgv.exe
C:\WINDOWS\system32\euufnpvs.exe
C:\WINDOWS\system32\grebnkay.exe
C:\WINDOWS\system32\gsdogljg.exe
C:\WINDOWS\system32\hnfmcbxo.exe
C:\WINDOWS\system32\iauhuqie.exe
C:\WINDOWS\system32\jfojyygt.exe
C:\WINDOWS\system32\kpfgquxx.exe
C:\WINDOWS\system32\krvqrexm.exe
C:\WINDOWS\system32\logpchsh.exe
C:\WINDOWS\system32\mlgederm.exe
C:\WINDOWS\system32\mtaxcyji.exe
C:\WINDOWS\system32\nfwcemyt.exe
C:\WINDOWS\system32\opgjgypp.exe
C:\WINDOWS\system32\plhbleux.exe
C:\WINDOWS\system32\pmvophis.exe
C:\WINDOWS\system32\pqklvaqw.exe
C:\WINDOWS\system32\qaggoqkj.exe
C:\WINDOWS\system32\qmrdstug.exe
C:\WINDOWS\system32\qokdqjha.exe
C:\WINDOWS\system32\rnrstqft.exe
C:\WINDOWS\system32\ryrngicx.exe
C:\WINDOWS\system32\sgsckcuk.exe
C:\WINDOWS\system32\skdtpxny.exe
C:\WINDOWS\system32\tcvqulbq.exe
C:\WINDOWS\system32\txgmltuu.exe
C:\WINDOWS\system32\ugjqfokm.exe
C:\WINDOWS\system32\uormaiqn.exe
C:\WINDOWS\system32\verocqqh.exe

((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))

2007-07-18 14:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 14:14 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-16 13:32 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-07-16 13:32 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-16 13:32 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-10 13:26 175,616 --a------ C:\WINDOWS\system32\tet.exe
2007-07-10 13:26 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-10 13:23 <DIR> d-------- C:\VundoFix Backups
2007-07-10 12:56 266,336 --a------ C:\WINDOWS\system32\ssqrs.dll
2007-07-10 12:51 31,254 --a------ C:\WINDOWS\system32\mljkllm.dll
2007-07-10 12:51 175,616 --a------ C:\WINDOWS\tet.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-18 11:12:47 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MailWasherPro
2007-07-18 06:15:06 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Avant Browser
2007-07-10 11:45:21 -------- d-----w C:\Program Files\MSN Messenger
2007-07-10 11:28:19 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-06-12 06:44:15 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-06-11 10:28:32 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-11 10:21:21 -------- d-----w C:\Program Files\Nero
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-19 12:54:10 19,000 ----a-w C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{253AE266-52F7-4C9F-B096-AE76DD4AB706}]
2007-07-10 12:56 266336 --a------ C:\WINDOWS\system32\ssqrs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 16:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F}]
2007-07-10 12:51 31254 --a------ C:\WINDOWS\system32\mljkllm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-28 00:21 C:\WINDOWS\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2006-06-02 02:22 C:\WINDOWS\system32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-19 10:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-14 10:02]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"QNPlus"="C:\Program Files\Conceptworld\QNPlus\QNPlus.exe" [2004-05-21 16:49]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F}"="C:\WINDOWS\system32\mljkllm.dll" [2007-07-10 12:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkllm]
mljkllm.dll --a------ 2007-07-10 12:51 31254 C:\WINDOWS\system32\mljkllm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrs]
C:\WINDOWS\system32\ssqrs.dll --a------ 2007-07-10 12:56 266336 C:\WINDOWS\system32\ssqrs.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e71a95f4-3cdc-11db-98ee-0017313b1430}]
AutoRun\command- setupSNK.exe

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 14:28:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 14:30:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-18 14:30

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 15:09:09, on 18/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {253AE266-52F7-4C9F-B096-AE76DD4AB706} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\qmnweuom.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.westlaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{844CA461-F432-4DC3-BF79-D93C2454EA83}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ken545

2007-07-19, 14:20

Hello Steffan72 and welcome to Safer Networking. You do have Vundo on your system that we need to get rid of.

First do this
Your Hijackthis program is current, but it is very important that it resides in its own folder.
We will use Hijackthis (HJT) to make changes to your system and HJT will make backups of those changes,
If HJT is not in its own folder, those backups could be lost.

Easy to fix.

just go to C:\ Program Files and create a new folder and name it Hijackthis .
Now scroll to where you have HJT currently, right click on the HJT icon and select CUT .
Now open the new folder you just created and right click within that folder and select PASTE .
Now HJT should reside in C:\Program Files\Hijackthis\Hijackthis.exe

Then this...

Now go to C:\Program Files\Hijackthis , open the folder and right click on the HJT icon ( looks like a red stick of dynamite with a plunger ) and rename it to Scanner.exe <-- Don't forget the .exe

Let me see a new HJT log with it in its own folder and renamed to Scanner.exe

Steffan72

2007-07-19, 15:24

Here you go Bro:crowned:

Regards

Stef:fear:

Logfile of HijackThis v1.99.1
Scan saved at 14:00:15, on 19/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {253AE266-52F7-4C9F-B096-AE76DD4AB706} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\qmnweuom.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.westlaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{844CA461-F432-4DC3-BF79-D93C2454EA83}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ken545

2007-07-19, 19:33

Stef,

Use the current vundo removal tool.

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

Some of these may be gone so not to worry.
O2 - BHO: (no name) - {253AE266-52F7-4C9F-B096-AE76DD4AB706} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\qmnweuom.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll

O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll

Run this system cleaner.

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Thank You Atribune

Let me see the Vundo log and a new HJT log and lets see if this got it all.

Ken:)

Steffan72

2007-07-20, 11:58

Hei Ken :fear:

I have done per your instructions...from the 4 entries that i clicked on the Fix Checked button in HiJackThis, two were removed but the O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} -C:\WINDOWS\system32\mljkllm.dll and the O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll still remains. I also run the ATF cleaner. It seems that I cannot get rid of the mljkllm.dll file..........

Here are my last two logs of VundoFix and HiJackThis.....

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 13:23:36 10/07/2007

Listing files found while scanning....

C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\ssqrs.dll

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 14:07:52 18/07/2007

Listing files found while scanning....

C:\windows\system32\ahxkqemh.ini
C:\windows\system32\bflvnwcr.ini
C:\windows\system32\cnpeolqg.ini
C:\windows\system32\dirtlrkf.dll
C:\windows\system32\eloswrps.dll
C:\windows\system32\geueelon.ini
C:\windows\system32\gifcjaog.ini
C:\windows\system32\goajcfig.dll
C:\WINDOWS\system32\goicvljt.dll
C:\windows\system32\gqloepnc.dll
C:\windows\system32\hmeqkxha.dll
C:\windows\system32\icefjqvp.ini
C:\windows\system32\ipixhpio.dll
C:\windows\system32\junqadck.ini
C:\windows\system32\kcdaqnuj.dll
C:\windows\system32\laiudxqs.ini
C:\windows\system32\lqieiqxm.ini
C:\windows\system32\mxqieiql.dll
C:\windows\system32\nljhwtro.ini
C:\windows\system32\noleeueg.dll
C:\windows\system32\ortwhjln.dll
C:\windows\system32\pudewjud.dll
C:\windows\system32\pvqjfeci.dll
C:\windows\system32\rcwnvlfb.dll
C:\windows\system32\sigtbpak.dll
C:\windows\system32\sprwsole.ini
C:\windows\system32\sqxduial.dll
C:\WINDOWS\system32\ssqrs.dll
C:\windows\system32\thqnymix.dll
C:\windows\system32\tjlvciog.ini
C:\windows\system32\ulcvoiji.dll
C:\windows\system32\wfkxwjns.dll

Beginning removal...

Attempting to delete C:\windows\system32\ahxkqemh.ini
C:\windows\system32\ahxkqemh.ini Has been deleted!

Attempting to delete C:\windows\system32\bflvnwcr.ini
C:\windows\system32\bflvnwcr.ini Has been deleted!

Attempting to delete C:\windows\system32\cnpeolqg.ini
C:\windows\system32\cnpeolqg.ini Has been deleted!

Attempting to delete C:\windows\system32\dirtlrkf.dll
C:\windows\system32\dirtlrkf.dll Has been deleted!

Attempting to delete C:\windows\system32\eloswrps.dll
C:\windows\system32\eloswrps.dll Has been deleted!

Attempting to delete C:\windows\system32\geueelon.ini
C:\windows\system32\geueelon.ini Has been deleted!

Attempting to delete C:\windows\system32\gifcjaog.ini
C:\windows\system32\gifcjaog.ini Has been deleted!

Attempting to delete C:\windows\system32\goajcfig.dll
C:\windows\system32\goajcfig.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\goicvljt.dll
C:\WINDOWS\system32\goicvljt.dll Could not be deleted.

Attempting to delete C:\windows\system32\gqloepnc.dll
C:\windows\system32\gqloepnc.dll Has been deleted!

Attempting to delete C:\windows\system32\hmeqkxha.dll
C:\windows\system32\hmeqkxha.dll Has been deleted!

Attempting to delete C:\windows\system32\icefjqvp.ini
C:\windows\system32\icefjqvp.ini Has been deleted!

Attempting to delete C:\windows\system32\ipixhpio.dll
C:\windows\system32\ipixhpio.dll Has been deleted!

Attempting to delete C:\windows\system32\junqadck.ini
C:\windows\system32\junqadck.ini Has been deleted!

Attempting to delete C:\windows\system32\kcdaqnuj.dll
C:\windows\system32\kcdaqnuj.dll Has been deleted!

Attempting to delete C:\windows\system32\laiudxqs.ini
C:\windows\system32\laiudxqs.ini Has been deleted!

Attempting to delete C:\windows\system32\lqieiqxm.ini
C:\windows\system32\lqieiqxm.ini Has been deleted!

Attempting to delete C:\windows\system32\mxqieiql.dll
C:\windows\system32\mxqieiql.dll Has been deleted!

Attempting to delete C:\windows\system32\nljhwtro.ini
C:\windows\system32\nljhwtro.ini Has been deleted!

Attempting to delete C:\windows\system32\noleeueg.dll
C:\windows\system32\noleeueg.dll Has been deleted!

Attempting to delete C:\windows\system32\ortwhjln.dll
C:\windows\system32\ortwhjln.dll Has been deleted!

Attempting to delete C:\windows\system32\pudewjud.dll
C:\windows\system32\pudewjud.dll Has been deleted!

Attempting to delete C:\windows\system32\pvqjfeci.dll
C:\windows\system32\pvqjfeci.dll Has been deleted!

Attempting to delete C:\windows\system32\rcwnvlfb.dll
C:\windows\system32\rcwnvlfb.dll Has been deleted!

Attempting to delete C:\windows\system32\sigtbpak.dll
C:\windows\system32\sigtbpak.dll Has been deleted!

Attempting to delete C:\windows\system32\sprwsole.ini
C:\windows\system32\sprwsole.ini Has been deleted!

Attempting to delete C:\windows\system32\sqxduial.dll
C:\windows\system32\sqxduial.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Could not be deleted.

Attempting to delete C:\windows\system32\thqnymix.dll
C:\windows\system32\thqnymix.dll Has been deleted!

Attempting to delete C:\windows\system32\tjlvciog.ini
C:\windows\system32\tjlvciog.ini Has been deleted!

Attempting to delete C:\windows\system32\ulcvoiji.dll
C:\windows\system32\ulcvoiji.dll Has been deleted!

Attempting to delete C:\windows\system32\wfkxwjns.dll
C:\windows\system32\wfkxwjns.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 15:00:20 18/07/2007

Listing files found while scanning....

C:\windows\system32\qqijkwxs.dll
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\ssqrs.dll
C:\windows\system32\sxwkjiqq.ini

Beginning removal...

Attempting to delete C:\windows\system32\qqijkwxs.dll
C:\windows\system32\qqijkwxs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Has been deleted!

Attempting to delete C:\windows\system32\sxwkjiqq.ini
C:\windows\system32\sxwkjiqq.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 10:10:25 20/07/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 10:23:33 20/07/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 10:26:29 20/07/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 10:29:20 20/07/2007

Listing files found while scanning....

C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\ssttr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 10:36:10 20/07/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 10:41:57 20/07/2007

Listing files found while scanning....

No infected files were found.

HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 10:39:27, on 20/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F0DB6EA-0733-4C7C-8CFD-D18D50AE7BA3} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.westlaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{844CA461-F432-4DC3-BF79-D93C2454EA83}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Regards

Stef:bigthumb:

ken545

2007-07-20, 12:26

Good Morning Stef,

If there is a file VundoFix doesn't find we need it submitted to add to the database.
Please submit the files to Upload Malware (http://www.uploadmalware.com)

C:\WINDOWS\SYSTEM32\mljkllm.dll <-- Please submit this file so they can add it to the removal tool

Remove these with HJT

O2 - BHO: (no name) - {3F0DB6EA-0733-4C7C-8CFD-D18D50AE7BA3} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll

O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll

Download Pocket Killbox (http://www.majorgeeks.com/Pocket_KillBox_d4709.html) to your desktop.

Highlight the file with the complete path inside the Quote Box and press Ctrl C on your keyboard.

C:\WINDOWS\SYSTEM32\mljkllm.dll

Open Pocket Killbox
Go to File > Paste from clipboard
Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
If its not greyed out..Click the radio button that say Unregister .dll before deleting.
Make sure Single File is selected
Click on the Red circle with the white X
It will ask you to confirm the deletion...Say yes
It will ask you to reboot, say yes

If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.

Post a new HJT log please

Steffan72

2007-07-23, 14:33

Logfile of HijackThis v1.99.1
Scan saved at 13:30:52, on 23/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.westlaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{844CA461-F432-4DC3-BF79-D93C2454EA83}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ken545

2007-07-23, 19:25

Stef, :)

The reason for renaming HJT is because the lowlife that write the vundo trojan have written it to hide from HJT and by renaming it , it will pick up entries in your log that won't show up otherwise.

C:\Documents and Settings\Administratoe\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip <-- You can delete this .

C:\Program Files\Hijackthis\scanner.exe.exe <-- Use this one, you can keep it this way , it won't hurt anything being permanently renamed.

Remove both these entries with HJT
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll
O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll

You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Open HJT> Misc Tools> Delete a File on Reboot and scroll to
C:\WINDOWS\SYSTEM32\mljkllm.dll or copy and paste the entire path into the box. Click ok and let it reboot.

Post a new log with it renamed to Scanner.exe

Ken:)

Steffan72

2007-07-24, 13:40

Hi Ken:fear:

Logfile of HijackThis v1.99.1
Scan saved at 09:15:47, on 24/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37234DE4-7773-4631-AB43-F62C6D225C2B} - C:\WINDOWS\system32\awvtt.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\nvbnumaj.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\mljkllm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\gbujpydm.dll",forkonce
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.westlaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{844CA461-F432-4DC3-BF79-D93C2454EA83}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll
O20 - Winlogon Notify: mljkllm - C:\WINDOWS\SYSTEM32\mljkllm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Regards

Stef:bigthumb:

ken545

2007-07-24, 13:58

Stef,

Your still infected with Vundo, delete the tool from your desktop and lets do a clean download.

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Let me see the report and a new HJT log please.

tashi

2007-08-02, 02:00

Due to lack of feedback this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.