Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ie Popups Won't Stop--possibly Vundo/virtumonde?

  • This topic is locked This topic is locked
4 replies to this topic

#1 historyguy64


  • Members
  • 5 posts
  • Local time:07:39 PM

Posted 10 March 2008 - 09:54 AM

Hello, All:

I find myself in a predicament and in need of experienced assistance. Any and all help/commentary is appreciated.

I am running Windows XP Media Center Edition (SP2). I use IE 6.0.2900.2108

While visiting a site (virual paradox), I began receiving trojan warnings from McAfee. It looked like McAfee had handled everything.

Upon further surfing, however, and particularly when using a search engine (Yahoo!, Google, etc.), another Internet Explorer window would open. Sometimes several would open. These were ads for various sites (reditty, av sites, etc.). Initially, I could not close the newly opened browser windows (had to minimize, right-click, or use Program Mgr to close).

Here are the steps I have taken to try to remove the problems:
1. VundoFix --I have run this several times and it has found nothing
2. AIMFix--I can't remember what it found first. the current log shows nothing
3. BeagleFix-found nothing
4. AdAware 2007 - found registry issues and cookies--said it had fixed them
5. Spybot-Search & Destroy--found registry issues and suspicious .dlls
The .dlls that Spybot could not fix were eqcaldhn.dll, jkhlg.dll, and sdinapol.dll.
I was able to directly delete eqcaldhn.dll and sdinapol.dll--but these were in Startup, so now I'm in selective startup

I repeated the above steps after disabling System Restore and running in Windows Safe Mode with the same results.

Then I added VirtuamondeBeGone to the mix (still in safe mode) and it found further registry changes. After that fix (the blue screen was scary), I restarted in Safe Mode. Then restarted in Normal mode to find the same issues.

Honestly, the frequency of the incidents is slightly reduced, but I can't use IE for any transactions/password operations. I'm concerned what else might be lurking.

One more thing--I may have an older version of Java running. Not sure how to check.

I truly do appreciate any help you might give me. Thanks.

BC AdBot (Login to Remove)



#2 Hilary Duff

Hilary Duff

  • Members
  • 9 posts
  • Local time:08:39 PM

Posted 10 March 2008 - 04:07 PM

Hello, please download HijackThis from here- http://www.bleepingcomputer.com/files/hijackthis.php And post it into the appropriate forum and make a new topic that sounds like a nasty virus. Also Download SUPERantispyware. And tell me what it detects. And please DO NOT!delete any more .dll's until you say what they are, I will aprove them...Also go here- http://java.com/en/download/index.jsp And update your Java. Thanks.

Edited by Hilary Duff, 10 March 2008 - 04:32 PM.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,778 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:39 PM

Posted 10 March 2008 - 06:21 PM

Hello historyguy64 and welcome to BC :flowers:

Edited to add: I agree that running SUPERAntiSpyware is a good idea. I also agree that you shouldn't delete any other .dll files. In fact, please do not do anything further with .dlls unless you are instructed to do so in the HJT forum. Since you will be posting an HJT log in the HJT forum, please do not post the SUPERAntiSpyware log.

Please follow the directions in this guide. If you can't do a step, skip it and go on to the next. Then create an HJT log, you will find the directions in step 9 of the guide.

Create a new topic in this forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work and paste in your HJT log. Please be sure to include the information from your initial post.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Please post the link to your new thread as a reply to this topic so we know you are receiving help in the HJT forum.

Edited to add: If you have any questions while going through the preparation guide, please post them as a reply to this topic.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 10 March 2008 - 07:47 PM.
Add additional material

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 historyguy64

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:39 PM

Posted 13 March 2008 - 11:48 PM

Thank you for the advice. I have posted the issue at http://www.bleepingcomputer.com/forums/t/135959/popups-wont-stop-possibly-vundovirtumonde/

#5 TMacK


  • Members
  • 4,672 posts
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:39 PM

Posted 14 March 2008 - 12:03 AM

Thanx historyguy64,

Now that you have a HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from
, until they have verified your log as clean.

This topic will now be closed, since you have an open log posted.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users