Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/virtumundo Type Infection, Cannot Remove


  • This topic is locked This topic is locked
15 replies to this topic

#1 mikep77

mikep77

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 March 2007 - 05:22 PM

Hello

Im having a problem fixing a friends computer. Im usually very good at removing spyware/viruses but this one is puzzling me.

It seems that it follows the symptoms of a vundo/virtualmonde infection because of the matching BHO and WinLogon Notify keys. However, the vundofix and virtumundobegone removal tools are not working. Adaware and ewido anti-spyware are not catching the file either (kdkekdk.dll)

Killbox will not delete the file or replace it with a dummy file on reboot. I get access denied or 'removed by external process' when trying to do so.

Hopefully somebody can chime in and help me figure this out.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:17:52 PM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\TEMP\85468.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Owner\Desktop\fix it folder\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jskikixo.slt\prefs.js)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL (file missing)
O2 - BHO: (no name) - {7B7D2B32-E2EF-4DED-9563-796EB5610BD7} - C:\WINDOWS\system32\kdkekdk.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: uurybluo - C:\WINDOWS\SYSTEM32\kdkekdk.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 March 2007 - 05:26 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please download VundoFix to your Desktop
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entries below into the top boxes (no arrows):

--> C:\WINDOWS\SYSTEM32\kdkekdk.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 March 2007 - 05:35 PM

Thank for you the quick reply. I have followed your instructions and added the file to VundoFix.

I get the following message:

C:\windows\system32\kdkekdk.dll could not be deleted, Vundofix will load on reboot to attempt removal. Please click remove vundo once your machine has rebooted.

I rebooted as instructed, click on 'Remove Vundo' and I get the above message again.

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 March 2007 - 05:40 PM

Try letting it reboot again, please.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 March 2007 - 05:41 PM

I rebooted again and the vundofix box came up. This time the white box was blank so I added c:\windows\system32\kdkekdk.dll back in. I get the same message saying it cannot be deleted and it wants to reboot, again.

Edited by mikep77, 04 March 2007 - 05:42 PM.


#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 05 March 2007 - 02:31 AM

Can I have the two requested logs, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 05 March 2007 - 09:17 AM

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:10 AM, on 3/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mcafee\msc\mcupdui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
G:\fix it folder\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jskikixo.slt\prefs.js)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL (file missing)
O2 - BHO: (no name) - {7B7D2B32-E2EF-4DED-9563-796EB5610BD7} - C:\WINDOWS\system32\kdkekdk.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: uurybluo - C:\WINDOWS\SYSTEM32\kdkekdk.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



Vundofix.txt
-------------------------------------------


VundoFix V6.3.12

Checking Java version...

Scan started at 2:04:42 PM 3/4/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.12

Checking Java version...

Scan started at 4:34:14 PM 3/4/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.12

Checking Java version...

Scan started at 2:15:47 AM 3/5/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.12

Checking Java version...

Scan started at 2:25:32 AM 3/5/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\kdkekdk.dll
c:\windows\system32\kdkekdk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

#8 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 05 March 2007 - 02:54 PM

Also, I keep getting wuauclt.exe in the c:\windows\temp directory and it takes all my computers CPU power (even in safe mode). I have to manually end the process and delete the file, but when i reboot it just comes back. This isnt showing up in the hijackthis log for some reason.

Edited by mikep77, 05 March 2007 - 02:56 PM.


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 05 March 2007 - 03:01 PM

Hello there, sorry about the wait; I didn't get an email to say you'd replied.
Download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Save the file to your Desktop
Close all running programs (including your Internet Browser)
Double-click VirtumundoBeGone.exe to run the program.
Read the introductory information, and then click Continue.
Click Start.
When asked if you want to continue, click Yes to run the fix.
Click "Save Log"
Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.
The log created by VirtumundoBeGone called VBG.TXT will be on located on your Desktop. Please retain VBG.TXT.

Please download ATF Cleaner.
Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.
Click Exit on the main menu to close the program.

Please include VBG.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 05 March 2007 - 03:21 PM

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:44 PM, on 3/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\crap\VundoFix.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Owner\Desktop\fix it folder\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
O2 - BHO: (no name) - {7B7D2B32-E2EF-4DED-9563-796EB5610BD7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: uurybluo - C:\WINDOWS\SYSTEM32\kdkekdk.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\I




VBG Log:
------------------------


[03/05/2007, 15:19:35] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\crap\VirtumundoBeGone.exe" )
[03/05/2007, 15:19:36] - Detected System Information:
[03/05/2007, 15:19:36] - Windows Version: 5.1.2600, Service Pack 1
[03/05/2007, 15:19:36] - Current Username: Owner (Admin)
[03/05/2007, 15:19:36] - Windows is in NORMAL mode.
[03/05/2007, 15:19:36] - Searching for Browser Helper Objects:
[03/05/2007, 15:19:36] - BHO 1: {7B7D2B32-E2EF-4DED-9563-796EB5610BD7} ()
[03/05/2007, 15:19:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/05/2007, 15:19:36] - No filename found. Continuing.
[03/05/2007, 15:19:36] - Finished Searching Browser Helper Objects
[03/05/2007, 15:19:36] - Finishing up...
[03/05/2007, 15:19:36] - Nothing found! Exiting...

Edited by mikep77, 05 March 2007 - 03:24 PM.


#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 05 March 2007 - 05:11 PM

Hello there,
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {7B7D2B32-E2EF-4DED-9563-796EB5610BD7} - (no file)
O20 - Winlogon Notify: uurybluo - C:\WINDOWS\SYSTEM32\kdkekdk.dll


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\kdkekdk.dll

Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please include a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 05 March 2007 - 05:36 PM

When I do that with pocket killbox I get the following message when I click the Red circle with white X

PendingFileRenameOperations Registry Data has been Removed by External Process!

I press OK and it just returns me to the killbox screen.

I also tried this in safe mode. It doesnt give that message but when it boots back into windows the BHO and Winlogon keys are back and I get the same message when trying to use Killbox.

Edited by mikep77, 05 March 2007 - 05:42 PM.


#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 06 March 2007 - 11:35 AM

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Scan again with HijackThis and put a checkmark next to each of the following entries (if present): O2 - BHO: (no name) - {7B7D2B32-E2EF-4DED-9563-796EB5610BD7} - (no file)
O20 - Winlogon Notify: uurybluo - C:\WINDOWS\SYSTEM32\kdkekdk.dll

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

3. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\SYSTEM32\kdkekdk.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

4. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
5. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
6. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log .
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 06 March 2007 - 12:43 PM

Charles,

I appreciate your help so far, but while waiting for your response last night I finally deleted kdkekdk.dll using The Ultimate Boot Disk.

Afterwards, the computer kept BSODing with messages like:

multiple_irp_complete_requests and page_fault_in_nonpaged_area

I already had everything backed up, so I just went ahead and reinstalled windows.

I wish I could have fixed this problem because this is the only computer ive ever worked on that has been so difficult. Im sure there were other problems with it as well...

Thanks for your help

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 06 March 2007 - 02:46 PM

Sorry to hear you had to format. In order to protect yourself against spyware, you should consider installing and running the following free programs:
AVG AntiSpyware
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users