Solve : Very bad problem plz help :(?

1.	Solve : Very bad problem plz help :(?
Answer» Scanning in Safe Mode makes it a lot easier for anti-virus to detect and clean infections because they are not actively running at the time. Scanning in Safe Mode probably would've given you a cleaner log. Exactly what options are there in your boot menu? If you can't get into Safe Mode, then you may need to use Pocket KillBox for deleting files in my fix... First...your HijackThis is in a temporary location. If you leave it there, it (along with its important backups) can and will eventually be deleted. Please navigate to its current location (C:\Documents and Settings\OWNER\Local Settings\Temporary Internet Files\Content.IE5\4FGADTEH) and it move to a new permanent folder at C:\Program Files\HJT. Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide. 1. Download VundoFix and save it to your desktop. 2. Run VundoFix and click on Scan For Vundo. 3. Once it's done scanning, click on Remove Vundo. 4. When it prompts you to remove the files, click on Yes. 5. Your desktop will go blank as it's removing files. Don't worry, this is normal. 6. It will prompt you to restart your computer, so click OK. 7. When your computer is turned back on, your problem should be gone. 8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post. And then, just to be thorough... 1. Download VirtumundoBeGone and save it to your desktop. 2. Reboot into Safe Mode. 3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions. 4. Exit when it has finished and reboot back into normal mode. Vundo should now be removed from your computer. And as for your log... Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet... R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {2A0D2A0D-E789-4C5F-96CB-D5C1958CF330} - \ O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\toqponqx.dll (file missing) O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll O2 - BHO: (no name) - {C4C9A109-7749-48EE-AA91-F1836F8A480F} - C:\WINDOWS\system32\vtutu.dll O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\rqrssrr.dll O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe" O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe" O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320 161C4661227A755E9C2933154389A O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" O4 - HKLM\..\Run: [mnrjdtkA] C:\WINDOWS\mnrjdtkA.exe O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\nmnilmhu.dll",realset O4 - HKCU\..\Run: [zzmu] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweapon/sis/popcaploader_v10.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab O20 - AppInit_DLLs: O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ O20 - Winlogon Notify: rqrssrr - C:\WINDOWS\SYSTEM32\rqrssrr.dll O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\tjjkfqof.exe (file missing) O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\mnrjdtk.exe (file missing) Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)... InetGet2 WinAntiSpyware 2007 Please note any other programs that you dont recognize in that list in your next response. Navigate to and delete the following folder(s) if present... C:\Program Files\InetGet2 C:\Program Files\Common Files\WinAntiSpyware 2007 Navigate to and delete the following file(s) if present... C:\WINDOWS\mnrjdtk.exe C:\WINDOWS\mnrjdtkA.exe C:\WINDOWS\poolsv.exe C:\WINDOWS\retadpu77.exe C:\WINDOWS\svhost.exe C:\WINDOWS\system32\nmnilmhu.dll C:\WINDOWS\system32\rqrssrr.dll C:\WINDOWS\system32\tjjkfqof.exe C:\WINDOWS\system32\toqponqx.dll C:\WINDOWS\system32\vtutu.dll C:\WINDOWS\xmlhelper2.dll Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.Hi... I am sorry to bother you about this but what do you mean when u say follow the instructions for VirtumundoBeGone.When you run VirtumundoBeGone, it displays a message that explains what the program does and what you should do. Basically, you click on Start and it will start scanning, which will take about 15 SECONDS. If you receive any prompts, respond to them accordingly. After the scan, there will be a VBG.txt Notepad file. You should paste the contents of that (along with the VundoFix file) in your next post, along with a new HijackThis log.I manage to download VirtumundoBeGone. The problem is that i wasnt able to find it when i reboot in safe mode. I could find it when i boot in normally I am really, really sorry for asking these stupid question Hey, don't worry, I'd rather have you ask a bunch of questions than not even follow my instructions. There's nothing wrong with asking questions; it's how you learn! When you reboot into Safe Mode, are you given the option to choose between different accounts? It will often give you the choice between Administrator and Owner. Owner is your account, so log into that one and see if the program is there.Here's the new hijackthis log... Logfile of HijackThis v1.99.1 Scan saved at 10:49:46 PM, on 7/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\AOL\1125001301\ee\AOLSoftware.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\cidaemon.exe c:\program files\common files\aol\1125001301\ee\aexplore.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aim.com/today/aimtoday.adp R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {B339E38A-22DD-4425-92C2-3C15F9643F4B} - C:\WINDOWS\system32\vtutu.dll (file missing) O3 - Toolbar: FLASHGET Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing) O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125001301\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java CONSOLE - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {89981B1D-07DA-43C3-9770-06C51E7E5DCE} (NostaleWebStarter Control) - http://game.nostale.com/sso/NostaleWebLauncher.cab O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfinity.net/cab/WindyGSPAx.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision CORPORATION - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe I was unable to find the following, when I scaned my computer with Hijackthis... O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\toqponqx.dll (file missing) O2 - BHO: (no name) - {C4C9A109-7749-48EE-AA91-F1836F8A480F} - C:\WINDOWS\system32\vtutu.dll O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\rqrssrr.dll O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\nmnilmhu.dll",realset O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll I did the rest as instructed. For some reason i keep on getting Trojan in my comp even when I'm not using my internet. ( My connection was still on) What about the VundoFix and VirtumondoBeGone logs? Which program is picking up the trojan? Also, you need to fix this entry... O2 - BHO: (no name) - {B339E38A-22DD-4425-92C2-3C15F9643F4B} - C:\WINDOWS\system32\vtutu.dll (file missing)It is the AVG Anti-Virus (Resident Sheild) that is picking up the trojans. I will post the logs first thing tomrrow Thankyou very much for helping me with this No problem, Ifain. I'll leave the light on for you.Quote from: Ifain on July 03, 2007, 03:26:39 PM I manage to download VirtumundoBeGone. The problem is that i wasnt able to find it when i reboot in safe mode. I could find it when i boot in normally I am really, really sorry for asking these stupid question In regular mode create a new folder called VMonde Fix or whatever you want to call it. Drag the program into that folder. This way when you re-boot into safemode you will be able to find it... Safemode can be confusing for the Desktop as it re-orients all the icons.Sry it took me so long I had to go SOMEWHERE for the weekend. Sorry Anyway here is the VirtumundoBeGone log: [07/09/2007, 15:53:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\OWNER\Desktop\VirtumundoBeGone.exe" ) [07/09/2007, 15:54:08] - Detected System Information: [07/09/2007, 15:54:08] - Windows Version: 5.1.2600, Service Pack 2 [07/09/2007, 15:54:08] - Current Username: OWNER (Admin) [07/09/2007, 15:54:08] - Windows is in NORMAL mode. [07/09/2007, 15:54:08] - Searching for Browser Helper Objects: [07/09/2007, 15:54:08] - BHO 1: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher) [07/09/2007, 15:54:08] - BHO 2: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper) [07/09/2007, 15:54:08] - BHO 3: {B339E38A-22DD-4425-92C2-3C15F9643F4B} () [07/09/2007, 15:54:08] - WARNING: BHO has no default name. Checking for Winlogon reference. [07/09/2007, 15:54:08] - Checking for HKLM\...\Winlogon\Notify\vtutu [07/09/2007, 15:54:08] - Key not found: HKLM\...\Winlogon\Notify\vtutu, continuing. [07/09/2007, 15:54:08] - Finished Searching Browser Helper Objects [07/09/2007, 15:54:08] - Finishing up... [07/09/2007, 15:54:08] - Nothing found! Exiting... I can't seem to find the VundoFix file sorry That's alright, Ifain, I know how it is. How are things running now? Still having problems?yup every thing is running fine... Thanks for the help Awesome, I'm glad to hear that. Now that you're clean, there are just a couple of things you should take care of... First, you'll want to clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps... 1. Go to Start > Programs > Accessories > System Tools > System Restore 2. Click on System Restore Settings. 3. Check Turn off System Restore and click OK. 4. Restart your computer. 5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK. 6. Create a new restore point and close the program. System Restore will now be active again. If you would like to learn more about System Restore, go here. Also, I see that your Java is out of date. You'll want to correct this quickly, as it will help provide further protection for you. To do so, go here and click on Free Java Download. You will be given instructions on what to do next. To learn more about how you may have been infected and for even more prevention tips, read Tony Klein's protection article.As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged. If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Answer»

Scanning in Safe Mode makes it a lot easier for anti-virus to detect and clean infections because they are not actively running at the time. Scanning in Safe Mode probably would've given you a cleaner log. Exactly what options are there in your boot menu? If you can't get into Safe Mode, then you may need to use Pocket KillBox for deleting files in my fix...

First...your HijackThis is in a temporary location. If you leave it there, it (along with its important backups) can and will eventually be deleted. Please navigate to its current location (C:\Documents and Settings\OWNER\Local Settings\Temporary Internet Files\Content.IE5\4FGADTEH) and it move to a new permanent folder at C:\Program Files\HJT.

Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide.

1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post.

And then, just to be thorough...
1. Download VirtumundoBeGone and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode. Vundo should now be removed from your computer.

And as for your log... Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {2A0D2A0D-E789-4C5F-96CB-D5C1958CF330} - \
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\toqponqx.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O2 - BHO: (no name) - {C4C9A109-7749-48EE-AA91-F1836F8A480F} - C:\WINDOWS\system32\vtutu.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\rqrssrr.dll

O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320 161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [mnrjdtkA] C:\WINDOWS\mnrjdtkA.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\nmnilmhu.dll",realset
O4 - HKCU\..\Run: [zzmu] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweapon/sis/popcaploader_v10.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab

O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rqrssrr - C:\WINDOWS\SYSTEM32\rqrssrr.dll
O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\tjjkfqof.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\mnrjdtk.exe (file missing)

Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

InetGet2
WinAntiSpyware 2007

Please note any other programs that you dont recognize in that list in your next response.

Navigate to and delete the following folder(s) if present...

C:\Program Files\InetGet2
C:\Program Files\Common Files\WinAntiSpyware 2007

Navigate to and delete the following file(s) if present...

C:\WINDOWS\mnrjdtk.exe
C:\WINDOWS\mnrjdtkA.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\nmnilmhu.dll
C:\WINDOWS\system32\rqrssrr.dll
C:\WINDOWS\system32\tjjkfqof.exe
C:\WINDOWS\system32\toqponqx.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\xmlhelper2.dll

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.Hi... I am sorry to bother you about this but what do you mean when u say follow the instructions for VirtumundoBeGone.When you run VirtumundoBeGone, it displays a message that explains what the program does and what you should do. Basically, you click on Start and it will start scanning, which will take about 15 SECONDS. If you receive any prompts, respond to them accordingly. After the scan, there will be a VBG.txt Notepad file. You should paste the contents of that (along with the VundoFix file) in your next post, along with a new HijackThis log.I manage to download VirtumundoBeGone.
The problem is that i wasnt able to find it when i reboot in safe mode.
I could find it when i boot in normally

I am really, really sorry for asking these stupid question Hey, don't worry, I'd rather have you ask a bunch of questions than not even follow my instructions. There's nothing wrong with asking questions; it's how you learn! When you reboot into Safe Mode, are you given the option to choose between different accounts? It will often give you the choice between Administrator and Owner. Owner is your account, so log into that one and see if the program is there.Here's the new hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 10:49:46 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\AOL\1125001301\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\cidaemon.exe
c:\program files\common files\aol\1125001301\ee\aexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aim.com/today/aimtoday.adp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B339E38A-22DD-4425-92C2-3C15F9643F4B} - C:\WINDOWS\system32\vtutu.dll (file missing)
O3 - Toolbar: FLASHGET Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125001301\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java CONSOLE - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {89981B1D-07DA-43C3-9770-06C51E7E5DCE} (NostaleWebStarter Control) - http://game.nostale.com/sso/NostaleWebLauncher.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfinity.net/cab/WindyGSPAx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision CORPORATION - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I was unable to find the following, when I scaned my computer with Hijackthis...

O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\toqponqx.dll (file missing)
O2 - BHO: (no name) - {C4C9A109-7749-48EE-AA91-F1836F8A480F} - C:\WINDOWS\system32\vtutu.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\rqrssrr.dll
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\nmnilmhu.dll",realset
O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll

I did the rest as instructed.
For some reason i keep on getting Trojan in my comp even when I'm not using my internet. ( My connection was still on)

What about the VundoFix and VirtumondoBeGone logs? Which program is picking up the trojan?

Also, you need to fix this entry...

O2 - BHO: (no name) - {B339E38A-22DD-4425-92C2-3C15F9643F4B} - C:\WINDOWS\system32\vtutu.dll (file missing)It is the AVG Anti-Virus (Resident Sheild) that is picking up the trojans.
I will post the logs first thing tomrrow
Thankyou very much for helping me with this
No problem, Ifain. I'll leave the light on for you.Quote from: Ifain on July 03, 2007, 03:26:39 PM

I manage to download VirtumundoBeGone.
The problem is that i wasnt able to find it when i reboot in safe mode.
I could find it when i boot in normally

I am really, really sorry for asking these stupid question

In regular mode create a new folder called VMonde Fix or whatever you want to call it.
Drag the program into that folder.
This way when you re-boot into safemode you will be able to find it...

Safemode can be confusing for the Desktop as it re-orients all the icons.Sry it took me so long
I had to go SOMEWHERE for the weekend. Sorry
Anyway here is the VirtumundoBeGone log:

[07/09/2007, 15:53:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\OWNER\Desktop\VirtumundoBeGone.exe" )
[07/09/2007, 15:54:08] - Detected System Information:
[07/09/2007, 15:54:08] - Windows Version: 5.1.2600, Service Pack 2
[07/09/2007, 15:54:08] - Current Username: OWNER (Admin)
[07/09/2007, 15:54:08] - Windows is in NORMAL mode.
[07/09/2007, 15:54:08] - Searching for Browser Helper Objects:
[07/09/2007, 15:54:08] - BHO 1: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[07/09/2007, 15:54:08] - BHO 2: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/09/2007, 15:54:08] - BHO 3: {B339E38A-22DD-4425-92C2-3C15F9643F4B} ()
[07/09/2007, 15:54:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2007, 15:54:08] - Checking for HKLM\...\Winlogon\Notify\vtutu
[07/09/2007, 15:54:08] - Key not found: HKLM\...\Winlogon\Notify\vtutu, continuing.
[07/09/2007, 15:54:08] - Finished Searching Browser Helper Objects
[07/09/2007, 15:54:08] - Finishing up...
[07/09/2007, 15:54:08] - Nothing found! Exiting...

I can't seem to find the VundoFix file sorry That's alright, Ifain, I know how it is. How are things running now? Still having problems?yup every thing is running fine... Thanks for the help Awesome, I'm glad to hear that. Now that you're clean, there are just a couple of things you should take care of...

First, you'll want to clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.

Also, I see that your Java is out of date. You'll want to correct this quickly, as it will help provide further protection for you. To do so, go here and click on Free Java Download. You will be given instructions on what to do next.

To learn more about how you may have been infected and for even more prevention tips, read Tony Klein's protection article.As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Solve : Very bad problem plz help :(?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment