[seppooo]

Hi,

I have this problem with the virtumundo adware...

Help!
Benno

here's my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 5:46:29 PM, on 10/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\HFXP\hfxp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heise.de/newsticker
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hkclproxy.hkpl.gov.hk:8080
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINNT\system32\ljhhg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: HXP.lnk = C:\Program Files\HFXP\hfxp.exe
O4 - Startup: Shortcut to msnmsgr.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Startup: Skype.lnk = C:\Program Files\Skype\Skype.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122351941496
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - http://sc-cis.de/TS4/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: ljhhg - C:\WINNT\system32\ljhhg.dll
O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\p4r4le9q1h.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Advertisements]

I saw that newer hijack this post are replied to, and I still have this problem going on here. can anyone please help me too...this virtumondo really annoys me a lot here...

Thanks
Benno

[seppooo]

I saw that newer hijack this post are replied to, and I still have this problem going on here. can anyone please help me too...this virtumondo really annoys me a lot here...

Thanks
Benno

[jwbirdsong]

seppooo
Sorry it has taken so long for your post to be responded to. As you can see it is a very busy site, and sometimes some logs do fall through the cracks. If you still need help with this matter please post an updated HijackThis log and I will respond in a timely manner.

[seppooo]

hi jwbird

thanks for help! here's a new log

Logfile of HijackThis v1.99.1
Scan saved at 12:04:20 AM, on 11/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\HFXP\hfxp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Skype.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heise.de/newsticker
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hkclproxy.hkpl.gov.hk:8080
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINNT\system32\ljhhg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: HXP.lnk = C:\Program Files\HFXP\hfxp.exe
O4 - Startup: Shortcut to msnmsgr.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Startup: Skype.lnk = C:\Program Files\Skype\Skype.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122351941496
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - http://sc-cis.de/TS4/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: ljhhg - C:\WINNT\system32\ljhhg.dll
O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\p4r4le9q1h.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[jwbirdsong]

seppooo
Got your reply, will post a fix in the AM for you....1AM here.....
Are you running IE5 becuase this is a new install or do you NOT want to update to IE6??

[seppooo]

i am using firefox, so i never bothered to upgrade the IE, and as far as i know, i can also not deinstall IE, right?

[jwbirdsong]

Changed my mind we'll get you started tonight and finish up tomorrow!

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode.
  How do I boot into "Safe" mode? or just do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  
• At this point press enter just once.
• Then you should see:
  
• At this point please type the following file path (make sure to enter it EXACTLY as below!):
  • C:\WINNT\system32\ljhhg.dll
• Press Enter to continue with the fix.
• Next you will see:
  
• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINNT\system32\ghhjl.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HijackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINNT\system32\ljhhg.dll
  O20 - Winlogon Notify: ljhhg - C:\WINNT\system32\ljhhg.dll
  O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\p4r4le9q1h.dll (file missing
  
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.

Please reboot into safe mode -

The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

• DIRECTORY CONTENTS (But not the directory)
  • C:\Windows\Temp\delete all files in here
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ delete all files in here <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\ delete all files in here
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\delete all files in here
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\delete all files in here
  • Empty your "Recycle Bin"
• FILES
  • C:\WINNT\system32\ljhhg.dll
    C:\WINNT\system32\p4r4le9q1h.dll

Reboot again and log in normally, repost a new HijackThis log into this message for further review.
Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.


No you can't uninstall IE but it is still necessary for Windows updates and a few other sites...there were considerable security holes in IE 5 that were fixed with IE6 but we'll get to updates after we get you cleaned up

Edited by jwbirdsong, 06 November 2005 - 02:52 AM.

[seppooo]

Hey,

Just went through the procedure, except for the Antivirus scan, as I encountered some problems beforehand.
Basically, it could not kill off the process related to the ljhhg.dll file, as it said, that the process is used by another system process...
I tried twice in two different safe modes, but still the same result. Obviously afterwards I could also not delete the ljhhg.dll file manually from the system32-folder.

Any idea what went wrong?

Benno

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINNT\system32\ljhhg.dll

The second filepath entered was C:\WINNT\system32\ghhjl.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 112 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 516 'explorer.exe'


Killing PID 160 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINNT\system32\ljhhg.dll.
C:\WINNT\system32\ghhjl.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------




Logfile of HijackThis v1.99.1
Scan saved at 1:43:14 PM, on 11/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\HFXP\hfxp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Skype.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heise.de/newsticker
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hkclproxy.hkpl.gov.hk:8080
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINNT\system32\ljhhg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: HXP.lnk = C:\Program Files\HFXP\hfxp.exe
O4 - Startup: Shortcut to msnmsgr.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Startup: Skype.lnk = C:\Program Files\Skype\Skype.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122351941496
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - http://sc-cis.de/TS4/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: ljhhg - C:\WINNT\system32\ljhhg.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[jwbirdsong]

Here's a quick thought while I look into it. Run HijackThis-->>scan only option-->> Put a check next to these two entries
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Make sure ALL OTHER WINDOWS are closed and hit "Fix"
Reboot and try all again...you didn't have IE (or anything else) open when you did the fix did you. It doesn't look like it but make sure..

[seppooo]

alright, let me try this. i thought i had all windows closed, but who knows...

thanks
benno

[seppooo]

hi

i went through the whole thing, and exactly the same result. cannot kill ljhhg.dll as it's used by another process...
i was wondering whether i should update the IE first?

benno

[jwbirdsong]

Well I've asked and we don't believe IE5 to be the problem but I will strongly recommend you update it anyway as it is much more secure..Windows update link is in my signature if you need it.

You did disable those two item in Hijack this didn't you??

Let's try a little different tact then:

Please download WebRoot Spy Sweeper from the following location:
http://www.webroot.com/downloads/

• Click the Free Trial link under Spy Sweeper to download the program.
• Install it using the Standard Install option. (You will be asked for your e-mail address, it's safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
• Once the program is installed, you will be prompted to check for updated definitions, click Yes. This may take several minutes.
• Once the definitions are installed, close the program and reboot your computer into Safe Mode
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
• Launch Spy Sweeper
  • From the left pane, click Options then Sweep Options
    [list]
  • Check Sweep all Folders on Selected drives.
  • Check Local Disc C.
  • Under What to Sweep, check every box.
• Click on Sweep and allow it to fully scan your system. If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
• When the scanning is done, click Remove. Click Select All and then Next. It will remove all of the items found.
• From Results, select the Session Log tab. Click Save to File and save the log to your Desktop or to a convenient location.

Exit Spy Sweeper.

Make sure you have rebooted at this point

Then post a fresh Hijack this log along with the log from Spysweeper

[seppooo]

hi

just to keep you posted. i did the following:

1.
- updated IE
- tried again with the initial solution
Result: same as before

2.
- went into safe mode
- executed spy sweeper
- virtumondo was found and removal started
- computer went into a freeze
- after restart, virtumondo seems to be gone
- and i could delete the ljhhg.dll file manually from the system32 folder

3.
- now i am runnign spy sweeper again to clean out everything
- then i will delete all temp folders as described before
- and post all logs into here

cheers
benno

Ps: was a major exercise ;-)

[jwbirdsong]

Ps: was a major exercise ;-)

It's a major infection
Good job

[seppooo]

Hi,

Finally I am back. Here's what spysweeper said:


********
7:03 AM: | Start of Session, Monday, November 07, 2005 |
7:03 AM: Spy Sweeper started
7:03 AM: Sweep initiated using definitions version 567
7:03 AM: Starting Memory Sweep
7:04 AM: Memory Sweep Complete, Elapsed Time: 00:01:02
7:04 AM: Starting Registry Sweep
7:04 AM: Found Adware: effective-i toolbar
7:04 AM: HKLM\software\effective-i\ (ID = 125658)
7:04 AM: HKLM\software\microsoft\windows\currentversion\uninstall\ucmore - the search accelerator\ (7 subtraces) (ID = 125671)
7:04 AM: Found Adware: ezula ilookup
7:04 AM: HKLM\software\microsoft\webext\ (30 subtraces) (ID = 828947)
7:04 AM: HKU\S-1-5-21-220523388-152049171-1343024091-500\software\effective-i\ (7 subtraces) (ID = 125657)
7:04 AM: HKU\S-1-5-21-220523388-152049171-1343024091-500\software\microsoft\internet explorer\toolbar\webbrowser\ || {44be0690-5429-47f0-85bb-3ffd8020233e} (ID = 125668)
7:04 AM: Found Adware: targetsaver
7:04 AM: HKU\S-1-5-21-220523388-152049171-1343024091-500\software\tsl2\ (1 subtraces) (ID = 143616)
7:04 AM: Registry Sweep Complete, Elapsed Time:00:00:11
7:04 AM: Starting Cookie Sweep
7:04 AM: Found Spy Cookie: 888 cookie
7:04 AM: administrator@888[2].txt (ID = 2019)
7:04 AM: Found Spy Cookie: overture cookie
7:04 AM: [email protected][1].txt (ID = 3106)
7:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:04 AM: Starting File Sweep
7:07 AM: Found Adware: dealhelper
7:07 AM: newpjzpamu1.xml (ID = 181050)
7:07 AM: newpjzpamk2.xml (ID = 181048)
7:21 AM: Found Adware: apropos
7:21 AM: wingenerics.dll (ID = 50187)
7:23 AM: newpjzpamk1.xml (ID = 181047)
7:24 AM: newpjzpamu.xml (ID = 181049)
7:24 AM: newpjzpamk.xml (ID = 181046)
7:24 AM: newpjzpamu2.xml (ID = 181051)
7:25 AM: newpjzpamtime.xml (ID = 163168)
7:29 AM: File Sweep Complete, Elapsed Time: 00:24:58
7:29 AM: Full Sweep has completed. Elapsed time 00:26:17
7:29 AM: Traces Found: 227
7:33 AM: Removal process initiated
7:33 AM: Quarantining All Traces: apropos
7:33 AM: Quarantining All Traces: dealhelper
7:33 AM: Quarantining All Traces: effective-i toolbar
7:33 AM: Quarantining All Traces: ezula ilookup
7:33 AM: Quarantining All Traces: targetsaver
7:33 AM: Quarantining All Traces: 888 cookie
7:33 AM: Quarantining All Traces: overture cookie
7:33 AM: Removal process completed. Elapsed time 00:00:10

____________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:42:02 PM, on 11/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\HFXP\hfxp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heise.de/newsticker
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hkclproxy.hkpl.gov.hk:8080
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: HXP.lnk = C:\Program Files\HFXP\hfxp.exe
O4 - Startup: Shortcut to msnmsgr.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Startup: Skype.lnk = C:\Program Files\Skype\Skype.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122351941496
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - http://sc-cis.de/TS4/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe