Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Problem with Virtumondo, vtsqq.dll, and probably more!


  • Please log in to reply

#1
taylorgordon

taylorgordon

    New Member

  • Member
  • Pip
  • 3 posts
Hello,
My computer has been on the downhill...

For the past months, it was just really slow but now I am gettting virus messages for the Virtumondo, vtsqq.dll (located in C:\WINDOWS\system32\vtsqq.dll) and mcafee can't get rid of it. I have been trying to run scans but my computer is now spontaneously shutting off (as if you just unplugged it and took out the battery, just instant gone[i]), and it seems to happen when I am running spybot and adaware, so I haven't been able to finish a scan with either of them. I have gone to the microcomputer services at my university (GO DUCKS!) and used a cleanboot disk they gave me--it did not find anything, and the computer shut off spontaneously again after about 10 minutes the first time i tried it. I used microsoft antivirus and trojan hunter as well, to no success. It has been an ongoing process, so I always reset it, usually once a day. I thought it might be heat, so i tried letting it cool, but there was no obvious impact on its propensity to crash. I have updated windows, zone alarm, mcaffee virusscan, spybot and adaware, although now they all seem impotent. Here is my log. I hope this is all the info you need, I tried to make sure about this before I posted because I know that time isn't cheap. Thanks,
Taylor Gordon

****

Logfile of HijackThis v1.99.1
Scan saved at 6:12:33 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\McAfee\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...shp?hl=en&gl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Taylor's Portal to the World
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Bho - {E022347B-5446-4f8f-BA63-1B0E402D0195} - C:\WINDOWS\system32\bkfpjckg.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DA25EE3A-530B-4494-AA8A-AA52557E37B6} (LinkedIn Signature Control) - https://www.linkedin...tureControl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...587/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O20 - Winlogon Notify: vtsqq - C:\WINDOWS\system32\vtsqq.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfee\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by taylorgordon, 12 November 2005 - 08:47 PM.

  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi taylorgordon and Welcome to GeekstoGo!

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#3
taylorgordon

taylorgordon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi, here are the results. It crashed once the first time, so I had to restart, so that is why there are multiple scans listed. Thanks!


********
11:56 PM: | Start of Session, Sunday, November 13, 2005 |
11:56 PM: Spy Sweeper started
11:56 PM: Sweep initiated using definitions version 572
11:56 PM: Starting Memory Sweep
11:56 PM: Found Adware: virtumonde
11:56 PM: Detected running threat: C:\WINDOWS\system32\bkfpjckg.dll (ID = 153)
12:00 AM: Memory Sweep Complete, Elapsed Time: 00:03:39
12:00 AM: Starting Registry Sweep
12:00 AM: Found Trojan Horse: trojan-backdoor-soundcheck
12:00 AM: HKLM\system\currentcontrolset\services\msdirectx\ (7 subtraces) (ID = 144200)
12:00 AM: Registry Sweep Complete, Elapsed Time:00:00:35
12:00 AM: Starting Cookie Sweep
12:00 AM: Found Spy Cookie: reliablestats cookie
12:00 AM: taylor@stats1.reliablestats[1].txt (ID = 3254)
12:00 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:00 AM: Starting File Sweep
12:24 AM: File Sweep Complete, Elapsed Time: 00:23:07
12:24 AM: Full Sweep has completed. Elapsed time 00:27:25
12:24 AM: Traces Found: 10
12:25 AM: Removal process initiated
12:26 AM: Quarantining All Traces: virtumonde
12:26 AM: Quarantining All Traces: trojan-backdoor-soundcheck
12:26 AM: Quarantining All Traces: reliablestats cookie
12:26 AM: Preparing to restart your computer. Please wait...
12:26 AM: Removal process completed. Elapsed time 00:00:27
********
10:49 PM: | Start of Session, Sunday, November 13, 2005 |
10:49 PM: Spy Sweeper started
10:49 PM: Sweep initiated using definitions version 572
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: Starting Memory Sweep
10:50 PM: Found Adware: virtumonde
10:50 PM: Detected running threat: C:\WINDOWS\system32\bkfpjckg.dll (ID = 153)
10:50 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:50 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:50 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:52 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:53 PM: Detected running threat: C:\WINDOWS\system32\vtsqq.dll (ID = 77)
10:53 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:53 PM: BHO Shield: found: -- BHO installation denied at user request
10:55 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:55 PM: BHO Shield: found: -- BHO installation denied at user request
10:57 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:57 PM: BHO Shield: found: -- BHO installation denied at user request
10:59 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:59 PM: Memory Sweep Complete, Elapsed Time: 00:09:45
10:59 PM: Starting Registry Sweep
11:00 PM: Found Trojan Horse: trojan-backdoor-soundcheck
11:00 PM: HKLM\system\currentcontrolset\services\msdirectx\ (7 subtraces) (ID = 144200)
11:00 PM: BHO Shield: found: -- BHO installation denied at user request
11:00 PM: Registry Sweep Complete, Elapsed Time:00:00:46
11:01 PM: Starting Cookie Sweep
11:01 PM: Found Spy Cookie: reliablestats cookie
11:01 PM: taylor@stats1.reliablestats[1].txt (ID = 3254)
11:01 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:01 PM: Starting File Sweep
11:02 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:03 PM: BHO Shield: found: -- BHO installation denied at user request
11:03 PM: Warning: Failed to check file "C:\WINDOWS\system32\vtsqq.dll". Magic ID "FILE" expected but not found
11:05 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:06 PM: BHO Shield: found: -- BHO installation denied at user request
11:06 PM: Warning: Failed to check file "C:\WINDOWS\system32\vtsqq.dll". Magic ID "FILE" expected but not found
11:08 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:09 PM: BHO Shield: found: -- BHO installation denied at user request
11:09 PM: Warning: Failed to check file "C:\WINDOWS\system32\vtsqq.dll". Sector size must be 512 bytes, not 1536
11:11 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:11 PM: BHO Shield: found: -- BHO installation denied at user request
11:13 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:13 PM: BHO Shield: found: -- BHO installation denied at user request
11:15 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:15 PM: BHO Shield: found: -- BHO installation denied at user request
11:17 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:18 PM: BHO Shield: found: -- BHO installation denied at user request
11:20 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:21 PM: BHO Shield: found: -- BHO installation denied at user request
11:23 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:23 PM: BHO Shield: found: -- BHO installation denied at user request
11:25 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:25 PM: BHO Shield: found: -- BHO installation denied at user request
11:27 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:28 PM: BHO Shield: found: -- BHO installation denied at user request
11:29 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:30 PM: BHO Shield: found: -- BHO installation denied at user request
11:32 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:33 PM: BHO Shield: found: -- BHO installation denied at user request
11:35 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:36 PM: BHO Shield: found: -- BHO installation denied at user request
11:38 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:39 PM: BHO Shield: found: -- BHO installation denied at user request
11:41 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:42 PM: BHO Shield: found: -- BHO installation denied at user request
11:44 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
11:45 PM: BHO Shield: found: -- BHO installation denied at user request
11:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
********
10:45 PM: | Start of Session, Sunday, November 13, 2005 |
10:45 PM: Spy Sweeper started
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:47 PM: Your spyware definitions have been updated.
10:47 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:48 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:48 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:48 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:48 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:48 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:48 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: BHO Shield: found: vtsqq.dll-- BHO installation denied at user request
10:49 PM: | End of Session, Sunday, November 13, 2005 |
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please disable TeaTimer in Spybot S&D as it may prevent part of this fix:
Open Spybot and click on Mode, check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on Resident. Uncheck Resident "TeaTimer" box.
Close Spybot. Reboot your computer.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\vtsqq.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\qqstv.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: Bho - {E022347B-5446-4f8f-BA63-1B0E402D0195} - C:\WINDOWS\system32\bkfpjckg.dll

    O20 - Winlogon Notify: vtsqq - C:\WINDOWS\system32\vtsqq.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#5
taylorgordon

taylorgordon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Sorry for the lag...my computer freezes every time i am writing a reply or doing a scan. It seems to be working now, so here goes... Everything went well, and when i was doing active scan, it listed that it had found 2 things, but it crashed before it finished and listed them specifically. I did it again, and active scan did not find anything. Here is the vundotxt and hijackthislogs. active scan did not come up with anything that i could paste. oh, and there are a couple copies of vundotxt, it kept freezing so i did it a couple times. thanks

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
vundofix1.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\vtsqq.dll

The second filepath entered was C:\WINDOWS\system32\qqstv.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 128 'smss.exe'

Killing PID 784 'explorer.exe'
Killing PID 784 'explorer.exe'


Killing PID 204 'winlogon.exe'
Killing PID 204 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\vtsqq.dll Deleted sucessfully.
C:\WINDOWS\system32\qqstv.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

*******************************************8

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\vtsqq.dll

The second filepath entered was C:\WINDOWS\system32\qqstv.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 128 'smss.exe'

Killing PID 816 'explorer.exe'
Killing PID 816 'explorer.exe'


Killing PID 200 'winlogon.exe'
Killing PID 200 'winlogon.exe'
Error 0x5 : Access is denied.--------------------------------------------------------------------------------------

C:\WINDOWS\system32\vtsqq.dll Deleted sucessfully.
C:\WINDOWS\system32\qqstv.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


***********************************888


Logfile of HijackThis v1.99.1
Scan saved at 10:50:03 AM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\McAfee\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Creative\MediaSource\CTCMS.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...shp?hl=en&gl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Taylor's Portal to the World
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Bho - {E022347B-5446-4f8f-BA63-1B0E402D0195} - C:\WINDOWS\system32\bkfpjckg.dll (file missing)
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network

Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DA25EE3A-530B-4494-AA8A-AA52557E37B6} (LinkedIn Signature Control) -

https://www.linkedin...tureControl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcaf...587/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

http://www.creative....15016/CTPID.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program

Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program

Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program

Files\McAfee\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by taylorgordon, 26 November 2005 - 12:50 PM.

  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Have HijackThis fix this entry

O2 - BHO: Bho - {E022347B-5446-4f8f-BA63-1B0E402D0195} - C:\WINDOWS\system32\bkfpjckg.dll (file missing)


Lets be sure there is nothing leftover.


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post the results of those 2 scans in the next reply please.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP