Results 1 to 9 of 9

Thread: started with virtumonde - logs attached

  1. #1
    Junior Member
    Join Date
    Jul 2007
    Posts
    5

    Default started with virtumonde - logs attached

    System has been running WAY slow. Ran ad-aware with no hits, ran Spybot and got virtumonde. Tried to work through it and think it's bigger/worse than that. Ran CA online virus scan and got 9 virus hits, but it would not let me cure/delete them - log follows. Ran HJT - log follows. PLEASE help!

    ****CA Virus Scanner****
    Scan Results: 38249 files scanned. 9 viruses were detected.

    File
    Infection
    Status
    Path

    cnte-dhncgts.jar-6d6dbd91-688ae97b.zip>BnnnnBaa.class
    Java/ByteVerify!exploit
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    cnte-dhncgts.jar-6d6dbd91-688ae97b.zip>VaannnaaBaa.class
    Java/ByteVerify!exploit
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    cnte-dhncgts.jar-6d6dbd91-688ae97b.zip>Dnnny.class
    Java/ByteVerify!exploit
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    cnte-dhncgts.jar-6d6dbd91-688ae97b.zip>Bnnnnn.class
    Java/Shinwow.BL
    Infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    cnte-dhncgts.jar-6d6dbd91-688ae97b.zip>Den.class
    Java/ByteVerify!exploit
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    cnte-dhncgts.jar-6d6dbd91-688ae97b.zip>Din.class
    Java/ByteVerify!exploit
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    cnte-dhncgts.jar-6d6dbd91-688ae97b.zip>Dun.class
    Java/ByteVerify!exploit
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    eRT.jar-14e46f0-3d514f8b.zip>HiPointInstallShieldRT.class
    Java/Shinwow.BH
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    nRT.jar-4e3272d0-567ec50d.zip>HiPointInstallShieldRT.class
    Java/Shinwow.BH
    infected
    C:\Documents and Settings\Fred\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

    ****HJT****
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:50:29 PM, on 7/28/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\program files\common files\InstallShield\UpdateService\ISUSPM.exe
    C:\program files\Trend Micro\HijackThis\scanner.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {13B893BB-D1B1-4C34-B12D-9AAC99A11608} - C:\WINNT\system32\mljii.dll (file missing)
    O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\system32\ssqnkll.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {ABEF86AA-7B8D-441D-B577-8F8586298C01} - C:\WINNT\system32\iiigf.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\program files\common files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: &Download with &DAP - C:\program files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\program files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://emcgln2.emcor.net/iNotes6W.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129418685151
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O20 - Winlogon Notify: iiigf - C:\WINNT\system32\iiigf.dll
    O20 - Winlogon Notify: ssqnkll - C:\WINNT\SYSTEM32\ssqnkll.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5784 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    It's vundo, you may want to read this:
    http://forums.spybot.info/showpost.p...80&postcount=2
    If you have old Java versions uninstall them in Add Remove programs.

    You have an infected Java cache also, use these instructions to clean it:
    http://support.f-secure.com/enu/home...avacache.shtml

    Read and follow the directions carefully, If you should have Vundofix on your computer, delete it and download it new from the link I am providing.

    Thanks to Atribune and any others who helped with this fix.

    Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

    Please download VundoFix.exe to your desktop
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

    If there is a file VundoFix doesn't find we need it submitted. Please submit
    the files to upload malware http://www.uploadmalware.com

    Let me know how the computer is performing now.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Jul 2007
    Posts
    5

    Default It was successful - but is there another issue?

    Thank you so much! I think there may be one issue left.

    Steps:
    deleted java cache
    uninstalled java
    ran vundofix - files are khhef.dll, khhef.ini and khhef.bak1
    rec'd error "cannot import c:\vundofix.reg: error
    opening file. there maybe disk or file system error"
    dll not able to be removed. Rebooted, clicked "remove files", rec'd error message again. Rebooted and clean. No vundofix files were found.

    Logs for vundofix and HJT follow.
    HJT shows "BHO" and "winlogon notify" entries for ssqnkll.dll
    How do I eliminate this also? And is it safe to reinstall current Java build?

    ***
    VundoFix V6.5.6

    Checking Java version...

    Sun Java not detected
    Scan started at 1:20:03 AM 7/29/2007

    Listing files found while scanning....

    C:\WINNT\system32\fehhk.bak1
    C:\WINNT\system32\fehhk.ini
    C:\WINNT\system32\khhef.dll

    Beginning removal...

    Attempting to delete C:\WINNT\system32\fehhk.bak1
    C:\WINNT\system32\fehhk.bak1 Has been deleted!

    Attempting to delete C:\WINNT\system32\fehhk.ini
    C:\WINNT\system32\fehhk.ini Has been deleted!

    Attempting to delete C:\WINNT\system32\khhef.dll
    C:\WINNT\system32\khhef.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINNT\system32\khhef.dll
    C:\WINNT\system32\khhef.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    ***
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:31:09 AM, on 7/29/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\program files\common files\InstallShield\UpdateService\ISUSPM.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\program files\Trend Micro\HijackThis\scanner.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\system32\ssqnkll.dll
    O2 - BHO: (no name) - {5FB4C0B4-F837-4C1F-8A10-5982C6560A56} - C:\WINNT\system32\khhef.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ISUSPM] "C:\program files\common files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: &Download with &DAP - C:\program files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\program files\DAP\dapextie2.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://emcgln2.emcor.net/iNotes6W.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129418685151
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O20 - Winlogon Notify: ssqnkll - C:\WINNT\SYSTEM32\ssqnkll.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5180 bytes

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information, you ask this:
    And is it safe to reinstall current Java build?
    If you are going to run Java, you should always have the newest build. The autoupdater for the Java program has always been a bit bugger, so I would check for updates as often as Windows updates.

    The Vundo infection has not been removed, run the scan again, keep an eye on the 020 Winlogon for the random named Vundo .dlls, they do morph. Here is what I see now:
    O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\system32\ssqnkll.dll
    O20 - Winlogon Notify: ssqnkll - C:\WINNT\SYSTEM32\ssqnkll.dll

    If you run the Vundofix and it becomes obvious it is not going to remove that file: C:\WINNT\system32\ssqnkll.dll
    Then follow the directions and upload the file to Atribune so he can add it to the fix, then do this:

    Open Vundofix by Doubleclicking on it, then point your mouse to the white box
    above the buttons and right click, then click on Add More Files. When the
    next window opens, copy and paste the files into the boxes and click on Add
    File(s), then click on Close Window. Then click Remove Vundo.

    There may well be residue to remove manually even if you are successful, but it will appear on the log like this:

    O20 - Winlogon Notify: ssqnkll - C:\WINNT\SYSTEM32\ssqnkll.dll (file missing)

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Jul 2007
    Posts
    5

    Default It worked!

    Thanks again, so very much!!! I am clean!!!

    Next run of vundofix found another dll (and files - xxwxx.dll). Went through the remove process - rebooted, re-ran and no infected files. But ssqnkll.dll still present. used "add files", rebooted - file removed. Reinstalled Java 1.60_02 and ran vundofix again. All clear. Ran HJT and no BHO or Winlogon entry present.

    ***
    VundoFix V6.5.6

    Checking Java version...

    Sun Java not detected
    Scan started at 2:54:18 AM 7/29/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Attempting to delete c:\winnt\system32\ssqnkll.dll
    c:\winnt\system32\ssqnkll.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    ***
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:14:41 AM, on 7/29/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\program files\common files\InstallShield\UpdateService\ISUSPM.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\program files\Trend Micro\HijackThis\scanner.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\program files\common files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: &Download with &DAP - C:\program files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\program files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://emcgln2.emcor.net/iNotes6W.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129418685151
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5349 bytes

  6. #6
    Junior Member
    Join Date
    Jul 2007
    Posts
    5

    Default file submitted to malware site

    pskelley, you said:

    "If you run the Vundofix and it becomes obvious it is not going to remove that file: C:\WINNT\system32\ssqnkll.dll
    Then follow the directions and upload the file to Atribune so he can add it to the fix..."

    I uploaded the file to malware site with a link to this thread. Thanks for your time and effort - I appreciate it more than you know!

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for the reports and the feedback, your HJT log appears clean of malware stick with me a bit longer. This is for your information:
    O8 - Extra context menu item: &Download with &DAP - C:\program files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\program files\DAP\dapextie2.htm
    http://www.greatis.com/appdata/u/d/dap.exe.htm
    http://process.networktechs.com/DAP.EXE.php
    I uploaded the file to malware site with a link to this thread
    Thanks, the next folks infected with that file will appreciate it.

    Since you had a nasty malware infection,I believe we should run a good scan for hidden malware, if you think so too, then do this:

    If you run the scan, before you run it, delete all Vundofix including and backups from your computer. The scan will see those as infections. You may rename HJT if you wish.

    Run this online scan using Internet Explorer:
    Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

    Next Click on Launch Kaspersky Online Scanner

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

    * The program will launch and then begin downloading the latest definition files:
    * Once the files have been downloaded click on NEXT
    * Now click on Scan Settings
    * In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    * Standard
    * Scan Options:
    * Scan Archives
    * Scan Mail Bases
    * Click OK
    * Now under select a target to scan:
    * Select My Computer
    * This will program will start and scan your system.
    * The scan will take a while so be patient and let it run.
    * Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
    * Save the file to your desktop.

    Then post it here.

    If you do not feel the scan is necessary, then do this:

    System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://users.telenet.be/bluepatchy/m...revention.html

    Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Jul 2007
    Posts
    5

    Smile final scan - we're clean!

    Thanks for the info (ALL the info and ALL the assistance). I reviewed the DAP info and decided to remove it - not worth the potential problems. I'll find another download manager.

    I am VERY glad that the file may be of help to someone else - anything we can do to stop "them" is a good thing.

    Ran Kaspersky online scan and all comes back clean - YES! Log follows.

    Again, many thanks to you and all the moderators here!

    ***Kaspersky Log***
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, July 29, 2007 12:50:47 PM
    Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 29/07/2007
    Kaspersky Anti-Virus database records: 369386
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 37955
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0
    Duration of the scan process: 01:20:21

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Fred\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Fred\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Fred\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Fred\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Fred\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Fred\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Fred\ntuser.dat.LOG Object is locked skipped
    C:\program files\DAP\Log\DAPIE.LOG Object is locked skipped
    C:\WINNT\CSC\00000001 Object is locked skipped
    C:\WINNT\Debug\ipsecpa.log Object is locked skipped
    C:\WINNT\Debug\oakley.log Object is locked skipped
    C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
    C:\WINNT\Internet Logs\AXIS.ldb Object is locked skipped
    C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
    C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
    C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
    C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINNT\SchedLgU.Txt Object is locked skipped
    C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\default Object is locked skipped
    C:\WINNT\system32\config\default.LOG Object is locked skipped
    C:\WINNT\system32\config\SAM Object is locked skipped
    C:\WINNT\system32\config\SAM.LOG Object is locked skipped
    C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\SECURITY Object is locked skipped
    C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINNT\system32\config\software Object is locked skipped
    C:\WINNT\system32\config\software.LOG Object is locked skipped
    C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\system Object is locked skipped
    C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
    C:\WINNT\system32\Perflib_Perfdata_350.dat Object is locked skipped
    C:\WINNT\Temp\ZLT02449.TMP Object is locked skipped
    C:\WINNT\Temp\ZLT02481.TMP Object is locked skipped

    Scan process completed.

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your scan results, looks good. I personally do not use a download manager, I find Windows XP does the job fine with no help, but if you really must use one, here is some information to review:
    http://www.safer-networking.org/en/a...-managers.html
    http://cybercoyote.org/internet/download.shtml

    Safe surfing...Phil
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •