khhhe.dll ??

Sounds like Virtumundo B.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis


After doing the above, we will be in a position to resolve your Virtumundo problem.

 

Please follow the directions in my first message to you!

 

Okay! As soon as you complete all scans. Make sure you follow my directions for downloading,installing, and running HijackThis and attach a new log with the correct version of HijackThis.

 

You're still not following directions.

Read my editing remarks in message # 4 and 5.

 

Make sure you follow these steps exactly! Don't rush! Do them right and it will fix your problem.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Please print these instructions out for use in Safe Mode with no networking and DO NOT RUN any browsers while doing these steps.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at. Iit should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\khhhe.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\ehhhk.*


​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\khhhe.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: khhhe - C:\WINDOWS\System32\khhhe.dll

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Now please attach a new HJT log from normal mode. And tell me how things are working.

 

When you get into safe mode with the empty Desktop, try the below.

Press CTRL-SHIFT-ESC at the same time to bring up Task Manager. If that works, do the below.
Click File, New Task (Run...) and enter explorer.exe in the box and click okay. See if either your Desktop appears or a Windows Explorer window opens up. If either of these occur, you should now be able to navigate your way to the KillVundo.bat file to run it.

Let me know what happens.

 

Okay let's use my older manual approach. Start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later. You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of khhhe.dll once and then click the kill button. After you have killed all of the khhhe.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of khhhe.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\khhhe.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: khhhe - C:\WINDOWS\System32\khhhe.dll

Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\ehhh.ini
C:\WINDOWS\SYSTEM32\ehhh.ini2
C:\WINDOWS\SYSTEM32\ehhh.bak
C:\WINDOWS\SYSTEM32\ehhh.bak1
C:\WINDOWS\SYSTEM32\ehhh.bak2
C:\WINDOWS\SYSTEM32\ehhh.tmp
C:\WINDOWS\System32\khhhe.dll

If you find any other files in this folder that begin with ehhh and end with any other extension ( the .ini is an an extension) delete them to.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log and tell me how the steps went. Doing this in normal boot mode does not always work. That is why we try to use safe mode.

 

You're welcome.

Yes! It's gone. But why do you now have HJT running improperly.

C:\Documents and Settings\user name\Desktop\Installed Programs\Spyware Removal\HiJackThis\HijackThis.exe

You had it correct before. It does not matter at this point but you should get rid of all copies of HJT except for this one: C:\Program Files\HJT\HijackThis.exe

 

That is not the correct place to run it from. You need to run it like you did in message # 11. Your Spyware Removal folder is not located in a good place. No other user accounts can access it there and this is a folder area quite often attacked by malware. Also HJT and other items are Programs. They are not Documents or Settings. Put your Spyware Removal folder in a place like below and then use a shortcut if desired.

C:\Program Files\Spyware Removal then you would have HJT in: C:\Program Files\Spyware Removal\HJT

or even C:\Spyware Removal would be acceptable

Not necessary and it only makes it easier for malware to hide again.

Delete the VundoFix file and registry patch from your Desktop.

Yes, enable system restore now that you are clean.

There are many other tools you could run. But you do not need to unless you are still having malware problems. You should however, follow all the steps in:
How to Protect yourself from malware!

They are not problems. They are just components used whenever the online scanners would be run. If you delete them, they would have to be redownloaded before the scans could be run again.

Terminnology: spyware is bad. I had you download spyware scanners/detection/removal tools not spyware. Yes keep it. There is no reason to remove it. You may need them again. Keep them updated.

 

Those are folders not files. WindowsUpdate is valid! Winupdates is from malware, delete it.

Yes you can delete the HjijackThis.zip file if desired.

 

It's from PocketKillbox. It stores copies of things it removes there so they can be submitted (if desired) for inspection. You can safely remove this folder.