Suspicious .dll files

Hey there.

I have a problem with my computer. My virus scanner (avast!) keeps stopping trojans. And I can't seem to get rid of it. I've followed the procedures in your sticky "READ & RUN ME FIRST. Malware Removal Guide" but it didn't help.

I've indentified two .dll files in the System32 folder called hggeede.dll and ssqoonn.dll using Prevx CSI, it classifies them as Trojan: Vundo, but I can't seem to be able to remove them or find them on any sites on the web. Anyways, hope someone can give me a hand, 'cause it's very annoying with the popups from avast.

In advance, thank you.

 

Ok, thanks.

Here are the logs.

 

I tried the Vundofix, it found the two .dll files I specified earlier but it couldn't delete them.

 

Hi norway00b!
Welcome to Major Geeks!

I'm looking at your logs. Thanks for your patience. Things have been hectic here.
abri

 

Hi norwayn00b!


1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files.


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\hggeede.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O20 - Winlogon Notify: hggeede - C:\WINDOWS\SYSTEM32\hggeede.dll

After you click fix, just close hijackthis.


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run
Disable/Remove Windows Messenger

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) You have a hidden msn messenger running in the background. I would like for you to go to Alternate Scans and go about halfway down the page and run the Sophos Antirootkit Scan. It was picked up by GMER in Combofix, but I don't think GMER removed it.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hey there. Thanks for the reply and the fix.

I ran all the steps you told me, the only note I have is that while doing the HijackThis scan there wasn't an option to check "O20 - Winlogon Notify: hggeede - C:\WINDOWS\SYSTEM32\hggeede.dll".

I also ran the Sophus scan and it came up clean.

The logs are attached. Funny thing is tough, I had to open Internet Explorer to attach them. The "Manage Attachments" button was not present in Firefox.

As for how things are running, after the reboot Avenger took I haven't gotten any new warnings from Avast. The first one should have popped up three minutes into the session.

Thanks a million for the help!! I'm very impressed you take the time to help complete strangers with technical problems like this. Thanks again!!

 

Hi norwayn00b!
Thank you.

Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files.

Sorry, we got caught here in the transition. Please go to add/remove programs and unintall Java(TM) 6 Update 3, then REBOOT and go to Sun Java Runtime Environment (JRE) and pick up Java 6 update 4

I would like for you to run Combofix again to see if it picks up the hidden MSN Messenger still. It'll be at the bottom of the Combofix log. If it's still there, I'd like for you to go to Alternate Scans and scroll down about halfway down the page and run several of the rootkit scans.

Please post your Combofix log and if you run other scans, anything from them as well.
Let me know how this goes.

abri

 

So it's okay to just delete all those sqm files?

 

Here's the combofix log and a log from rootkit revealer.

Also ran Panda Rootkit scanner but it came up blank.

 

Hi norwayn00b!
It's gone. You're good. Please run the final cleanup instructions:

abri

 

Once again, thank you very much!! I'm very gratefull!

I'll repeat my question since I think you missed it. Is it ok for me to delete those sqm files?

 

Hi norwayn00b!

Yes, you can delete them. I did miss that question.

Happy surfing!

abri