can't get rid of virus...

[kayaboy]

I updated/ran Norton Anti-virus the other day on my daughter's cpu, which is running XP Home. A virus--Trojan.Vundo.B--was found...and for some reason, wasn't able to be cleaned nor quarantined--then the Symantec Anti-Virus Notification screen popped up in the corner of the screen -- and it will not go away! After closing it it will pop up again! I went to the Symantec site, found the 'tool' to remove the above virus--followed directions to a "T" (turned off System Restore, dis-connected from network & internet, turned off file sharing, and booted into safe mode), and ran the removal tool in safe mode--but when it's completed it says the virus cannot be found (?!) The anti-virus notification screen will continue to pop up (it's up to about 1158 and counting as I type this!) I've ran NAV again and again, and the virus will be found, but it will not be removed/cleaned/quarantined--and then the anti-virus notification screen will pop up...HELP!!!!???
Thanks!!

 

[pechenegs]

post a hijack this log and I'll post back with removal instructions!


hi, welcome to TSG.

Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.

 

[kayaboy]

Thanks for the info! p.s. if this may be of any assistance, the file name that pops up in NAV is listed here as:
"O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll"
I think that "jkkli.dll" file is the culprit! ;0
Here ya go (and thanks again for the help!):

Logfile of HijackThis v1.99.1
Scan saved at 4:45:47 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\GREG\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell4me.com/mywaybiz

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell4me.com/mywaybiz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.dell4me.com/mywaybiz

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkkli.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\MediaExe\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] c:\Dell\MediaExe\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .AVI: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

 

[pechenegs]

Please download VundoFix.exe to your desktop.

http://www.atribune.org/downloads/VundoFix.exe

* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning and a list of forums to seek help at.
it should look like this

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:

http://www.atribune.org/forums

http://www.247fixes.com/forums

http://www.geekstogo.com/forum

http://forums.net-integration.net

* At this point press enter one time.
* Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

* At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\jkkli.dll
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

* At this point please type the following file path (make sure to enter it exactly as below!):

o C:\WINDOWS\system32\ilkkj.*

* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.
* The fix will run then HijackThis will open.
* In HiJackThis, please place a check next to the following items and click FIX CHECKED:


o O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkkli.dll
o O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll


* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

http://www.stevengould.org/software...p/download.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start >
All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.



Then, please run this online virus scan: ActiveScan

http://www.pandasoftware.com/products/activescan.htm

Copy the results of the ActiveScan and paste them here along with a new
HiJackThis log and the vundofix.txt file from the vundofix folder into this
topic.

 

[pechenegs]

Strange enough, calamity Jane and Brendandonhu have both been dbating that Vundo H has been hitting mostly Dell computers and you have a Dell, they were wondering if there's a flaw somewhere in Dell or in Microsoft which hasn't been patched yet!

The TSG board was swamped just over a week ago by Vundo H.

http://forums.techguy.org/t406238&highlight=vundo+fix.html

 

[pechenegs]

oops, the above should be southern lady not calmity Jane

 

[kayaboy]

Thanks for the quick reply! I've followed your instructions, but am having difficulties in completing the task at hand...I'm able to enter the file path, but when I hit 'enter' it goes to the "type in 2nd file path" step right away (I'm not able to hit F6 then enter again, as instructed). If I do proceed with entering both file paths, I get a 'caution': "You are attempting to open a file of type 'Application Extension'(.dll) screen--I hit Cancel...Then 'Hijack This' opens--I run the Scan, but cannot find the line:
o O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkkli.dll'
So, I click the other (o20--winlogon notify), clicked FIX CHECKED, rebooted...and it popped up again!
Am I doing something wrong? Please let me know.
Thanks!!!

 

[pechenegs]

just follow the instructions, print them out before proceeding. make sure you don't have anythign blocking such as script blockers, turn off Norton's script blocker until finished!

try the fix again or try it in normal mode!