Having Problems Again!!!

[Pumpa]

Next program...I saved it and ran the Cleanup.bat file
Followed all instructions.

HJT attached

[jholland1964]

This is obviously a very hard one to remove, I found countless references to the same problem on a number of malware remove sites. Here is one thing we haven't tried;

1. Download VirtumundoBegone and save it to your desktop.
2. Now reboot into Safe Mode.
   1. This can be done tapping the F8 key as soon as you start your computer
   2. You will be brought to a menu where you can choose to boot into safe mode.
   3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.
   4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,
3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.
4. Exit when it has finished, and reboot back to normal mode.

Once you have done this run another HJT scan and post the log here...with your fingers crossed

[Pumpa]

I have my XP disk at the ready.

[jholland1964]

I have my XP disk at the ready.

Can't imagine that this is going to come to that. Still waiting to hear from some others I have asked to take a look at this, but try this....
Run HJT in Safe Mode and put the checkmark next to our "favorite entry"

O2 - BHO: (no name) - {F0033F3A-37C3-486A-B827-F24D08C38331} - H:\WINDOWS\system32\sstts.dll

Click fix checked.
Exit HJT. Reboot to normal and run HJT again and post the log.

[ShadowPuterDude]

Umm I think we have hit a snag.
Can not extract to C:\ISeeYouXP. It is a wrong Directory.
My Hard Drive has H:\ assigned because of the card reader that I have.
Will assigning a new letter help and if so what about existing programs that are on the hard drive already.

Are you pulling your hair yet!!!

Yes, H:\ISeeYouXP will work

[Pumpa]

The program IseeyouXP doesnt install because it is looking for C:\ . to install to. My Hard Drive has H:\ assigned to it. I was going to change my hard drive from H: to C: so the program would install. Error message reads ( Error in Directory)
i should have wrote that.

cheers

[Pumpa]

No that didn't work Judy!!

[jholland1964]

Ok, I have spent much of the evening going through ALL your HJT logs and suddenly noticed something... Legal or Good BHO's (Browser Helper Objects) which are items like Spybot Helper, Adobe Acrobat, Google Toolbar, Your Printer, Java, Windows Live Toolbar Helper, Windows Live Sign In Helper, All always will show with their SAME CLSID number, that is the number between {****}

BUT the one we want to get rid of ALWAYS shows a DIFFERENT CLSID number! On each and every HJT scan the number for that one is different. I believe this is why you cannot get rid of it...delete one number and it just creates a new one.

O2 - BHO: (no name) - {4F4B9EB1-ABBC-4048-8814-1A02BB87E2D0} - H:\WINDOWS\system32\sstts.dll

A new Vundo infection which has recently cropped up, is being installed with a rootkit.

A hidden service called DP1112 and a Blacklight log which contains an entry for C:\WINDOWS\qaz4.txt will confirm the presence of the rootkit.

Let's try these steps and see if "maybe" this is what you have been dealing with. Now you will see these instructions refer to "C" drive as this is the usual drive which contains your os..etc. Since yours if "H" then you will of course want to scan "H" drive and where "C" is noted yours would probably say "H"

First please delete ALL copies of VundoFix on the computer and all Backups of VundoFix.

1. Download the F-Secure BlackLight Beta by clicking accept and then clicking download on the next page.

* Save to a folder of your choice or the desktop.
* Start the program by double-clicking on its icon.

Note: While scanning, it is important to observe the following precautions:

1. Close all browser, program and Explorer windows.
2. Disconnect from the internet to prevent background programs from autoupdating during the scan.
3. Do not touch your computer (mouse & keyboard) or have any programs running other than BlackLight

* Click Accept
* Click Scan - see Note
* When the scan is complete, press Next
* Only rename H:\WINDOWS\qaz4.txt if present, even if other hidden items are found
* Close all other programs before continuing, and then select Next -> Finish.
* Select Restart now to reboot the computer so the changes take effect
* After the reboot, the hidden items should be renamed and visible on the computer.
* Re-run BlackLight to verify that H:\WINDOWS\qaz4.txt is no longer found.

BlackLight beta creates a log file fsbl-<date-and-time>.log in the same directory as the blbeta.exe.
For more detailed instructions please refer to the BlackLight Help file and Tutorial

2. Stop and delete the service DP1112 via the command prompt

• Click start -> Run -> type cmd -> Click OK
• Type or paste sc stop DP1112 at the command prompt
• Hit enter
• Type or paste sc delete DP1112 at the command prompt
• Hit enter
• Close the command prompt window

3. Reboot to make the Vundo files visible to Windows and HJT

4. Confirm DP1112 is no longer present in the Device Manager

* Right-click My Computer
* Click Properties -->Hardware --> Device Manager
* On the toolbar menu, click View--> Show Hidden devices.
* Double-click Non-Plug and Play Drivers
* Verify that DP1112 is no longer present in the list of drive

Enable Viewing of Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
6. Delete the file H:\WINDOWS\qaz4.txt.ren which is the the renamed file C:\WINDOWS\qaz4.txt

7. Delete H:\WINDOWS\system32\Drivers\DP.sys


8. Download VundoFix.exe by Atribune to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* When the scan is complete, click the Remove Vundo button
* You will receive a prompt asking if you want to remove the files, click yes
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Restart your computer
* A log called vundofix.txt will be created in your H:\ directory
* Inspect H:\vundofix.txt with Notepad to be sure the fix completed properly
* Please retain H:\vundofix.txt should you need to post a HijackThis log.

9. Run WinPFind to make sure there are no undetected infected files remaining

* Download WinPFind by OldTimer
* Right Click WinPFind.zip and extract all to H:\ folder (do not open the program yet, as it should be run Safe Mode)
* Boot into Safe Mode by doing the following:

1. Restart the computer
2. Once the BIOS memory check is done, start tapping the F8 key
3. If done correctly, the Windows Advanced Options Menu will appear.
4. Select Safe Mode from the menu. Starting Windows in Safe Mode may take several minutes

* Once in Safe Mode, Double-click WinPFind.exe located within the H:\ WinPFind folder
* Click on Start Scan
* Wait for the scan to finish (it may take over 30 minutes)
* The results will be displayed when you see Scan Complete
* A log file called WinPFind.txt will be automatically generated in the WinPFind folder
* If you see an Umonitor entry bearing the same creation date as the other infected files you've removed with a random consonant executable file name similar to this:

Checking %System% folder...

* Umonitor 1/28/2006 10:57:20 AM 57364 H:\WINDOWS\SYSTEM32\ljbpjbqn.exe

* This file should be located on your system and deleted.

Please run either Trend Micro HouseCall or Bitdefender online scanner and tell it to fix anything found.

Post back with all requested logs.

[Pumpa]

Good news or Bad news or no new news.

Sorry but F-Secure Backlight Beta Found no Hidden Items No Files to Rename.

I'll give this a couple of more tries then I'm packing it in for about 5 weeks as I'm heading for Europe on the 1st of December.

Heres a log anyway. I dont think its going to tell you much.

[jholland1964]

Message received from ShadowPuterDude; None of the Vundo removal tools are going to work, and there is no Rootkit at work here. The vundo process is hooked into 1 or more windows processes and until the poster runs ProcessDLL and posts the log; we won;t know what processes those are.

Please follow the steps given in post #38