Okay, my virus scanner has been annoying me with the detection of the Trojan/Vundo jkkli.dll (in the system32 folder) for days. It keeps on popping up 'virus found!' messages and I am forced to close my antivirus program because it drives me mad. Today I have tried really everything to delete it - antispyware programs, Killbox, fixing with HJT, rebooting in DOS with safe mode to delete it... nothing works. I'm desperate and any help would be appreciated very very much. Here is my HJT log - thank you so much in advance.
Logfile of HijackThis v1.99.1 Scan saved at 10:11:54, on 2/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Read the introductory information, and then click Continue Click Start When asked if you want to continue, click Yes to run the fix Click "Save Log"
Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.
The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop.
Post VBG Txt log along with fresh hijackthis log
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Hello Touch. I know about the several programs running. *sigh* I made the mistake of downloading other ones in the hope they would help me remove jkkli.dll.
However I believe your method actually worked! :D Thanks a lot for the quick help. Here are the logs in case they are still needed. Once again, thank you. I really appreciate it.
[09/02/2006, 11:34:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Nathalie Dekeyser\Bureaublad\VirtumundoBeGone.exe" ) [09/02/2006, 11:34:56] - Detected System Information: [09/02/2006, 11:34:56] - Windows Version: 5.1.2600, Service Pack 2 [09/02/2006, 11:34:56] - Current Username: Nathalie Dekeyser (Admin) [09/02/2006, 11:34:56] - Windows is in NORMAL mode. [09/02/2006, 11:34:56] - Searching for Browser Helper Objects: [09/02/2006, 11:34:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [09/02/2006, 11:34:56] - BHO 2: {9D4D95CF-3EAD-4CD9-996B-CFD476386CCA} () [09/02/2006, 11:34:56] - WARNING: BHO has no default name. Checking for Winlogon reference. [09/02/2006, 11:34:56] - Checking for HKLM\...\Winlogon\Notify\jkkli [09/02/2006, 11:34:56] - Found: HKLM\...\Winlogon\Notify\jkkli - This is probably Virtumundo. [09/02/2006, 11:34:56] - Assigning {9D4D95CF-3EAD-4CD9-996B-CFD476386CCA} MSEvents Object [09/02/2006, 11:34:56] - BHO list has been changed! Starting over... [09/02/2006, 11:34:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [09/02/2006, 11:34:56] - BHO 2: {9D4D95CF-3EAD-4CD9-996B-CFD476386CCA} (MSEvents Object) [09/02/2006, 11:34:56] - ALERT: Found MSEvents Object! [09/02/2006, 11:34:56] - Finished Searching Browser Helper Objects [09/02/2006, 11:34:56] - *** Detected MSEvents Object [09/02/2006, 11:34:56] - Trying to remove MSEvents Object... [09/02/2006, 11:34:57] - Terminating Process: IEXPLORE.EXE [09/02/2006, 11:34:57] - Terminating Process: RUNDLL32.EXE [09/02/2006, 11:34:57] - Disabling Automatic Shell Restart [09/02/2006, 11:34:57] - Terminating Process: EXPLORER.EXE [09/02/2006, 11:34:57] - Suspending the NT Session Manager System Service [09/02/2006, 11:34:58] - Terminating Windows NT Logon/Logoff Manager [09/02/2006, 11:40:00] - Re-enabling Automatic Shell Restart [09/02/2006, 11:40:00] - File to disable: C:\WINDOWS\system32\jkkli.dll [09/02/2006, 11:40:00] - Renaming C:\WINDOWS\system32\jkkli.dll -> C:\WINDOWS\system32\jkkli.dll.vir [09/02/2006, 11:40:00] - File successfully renamed! [09/02/2006, 11:40:00] - Removing HKLM\...\Browser Helper Objects\{9D4D95CF-3EAD-4CD9-996B-CFD476386CCA} [09/02/2006, 11:40:00] - Removing HKCR\CLSID\{9D4D95CF-3EAD-4CD9-996B-CFD476386CCA} [09/02/2006, 11:40:00] - Adding Kill Bit for ActiveX for GUID: {9D4D95CF-3EAD-4CD9-996B-CFD476386CCA} [09/02/2006, 11:40:00] - Deleting ATLEvents/MSEvents Registry entries [09/02/2006, 11:40:00] - Removing HKLM\...\Winlogon\Notify\jkkli [09/02/2006, 11:40:00] - Searching for Browser Helper Objects: [09/02/2006, 11:40:00] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [09/02/2006, 11:40:00] - Finished Searching Browser Helper Objects [09/02/2006, 11:40:00] - Finishing up... [09/02/2006, 11:40:00] - A restart is needed. [09/02/2006, 11:40:00] - Automatic Reboot on STOP Error is not set. User will have to manually restart. [09/02/2006, 11:40:14] - Attempting to Restart via STOP error (Blue Screen!)
Logfile of HijackThis v1.99.1 Scan saved at 11:46:13, on 2/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only
Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT. Click fix checked.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe <<If your computer dont act as server --------------------------------------------------- O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
Reboot into SafeModeby tapping F8 after the BIOS has loaded. The Windows Advanced Options Menu appears. Ensure that the Safe mode option is selected. Press Enter. The computer then begins to start in Safe mode.
Delete the following files or folders (delete item in bold). Please do not be concerned if any of the items are not found as they may have been automatically removed by actions I had you take earlier in the cleaning process.
Open Folder Options in Controlpanel >view and check your settings: Select Show hidden files and folders Display the contents of system folders Uncheck: Hide protected operating system files
Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver- Uncheck –Heurestic analysis
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Move
Remove checkmark from – Prompt on action
Click on the drive(s) you want to scan. A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan yourdrive(s), say yes to all When the scan has finished, look if you can click next icon next to the files found If so, click it and then click the next icon right below and select Move incurable This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a HijackThis log and tell how things are running
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Thank you again for the cleaning up instructions. I've done everything up to ATF Cleaner, but Dr Web - Cure It would have taken a really long time to complete the scan and I can't miss my pc that long right now, hehe. I will definitely do it some other day and you will hear back from me then. Thanks again for the help!
Currently it is Wednesday, December 03, 2008 6:55 AM (GMT +1) There are a total of 64.512 posts in 15.910 threads. In the last 3 days there were 19 new threads and 77 reply posts. View Active Threads
Who's Online
This forum has 27326 registered members. Please welcome our newest member, DooN. 49 Guest(s), 0 Registered Member(s) are currently online. Details
|