Trojan.Vundo/jkkli.dll

Discussion in 'Malware Help (A Specialist Will Reply)' started by wcdave, Nov 20, 2005.

  1. wcdave

    wcdave Private E-2

    Hey everyone,

    I'm having problems removing a Trojan.Vundo virus that Norton Antivirus has detetected. I keep on getting a popup saying that Norton is "Unable to repair this file." When I click ok, it changes to "Access to the file was denied." The listed file is C:\WINDOWS\system32\jkkli.dll

    I've gone through all of the steps in "read and run me first before asking questions."

    TrojanScan came up with no malware. BitDefender got rid of some files, but mostly from Norton's quarantine list.

    Adaware came up with a box saying: C:\WINDOWS\system32\ssqrp.dll could not be removed

    I've attached the hjt log.

    Any help would be appreciated.

    Dave
     

    Attached Files:

    wcdave, Nov 20, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Give this a run: Running Spy Sweeper...

    Make sure you attach the Spy Sweeper log when finished and also attach a new HJT log too.
    It will take quite awhile for the Spy Sweeper scan to run. It is very intensive and should resolve your Virtumonde problems.
     
    chaslang, Nov 20, 2005
    #2
  3. wcdave

    wcdave Private E-2

    Thanks. Norton Antivirus no longer pops up identifying the virus. But I noticed that the jkkli.dll file is still referenced in the HJT log.

    The HJT and spysweeper logs are attached.

    Again, thanks.
    Dave
     

    Attached Files:

    wcdave, Nov 21, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Is the below R1 line something you setup and require?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 205.181.234.21:80

    It appears to be the address of:
    Code:
    OrgName:	Level 3 Communications  Inc. 
OrgID:	  LVLT 
Address:	1025 Eldorado Blvd. 
City:	   Broomfield 
StateProv:  CO 
PostalCode: 80021 
Country:	US
    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\jkkli.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll (file missing)
    O20 - Winlogon Notify: ssqrp - ssqrp.dll (file missing)

    After clicking Fix, exit HJT.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 21, 2005
    #4
  5. wcdave

    wcdave Private E-2

    The computer was set up for me through my work, but I use it primarily for personal reasons. It's a long story. Can the R1 line be removed or altered if it's not necessary?

    Should I run HJT in safe mode or normal mode?

    Thanks,
    Dave
     
    wcdave, Nov 22, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But is the Level3 Communications something you recognize? Is the proxy server needed by work or at home?

    HJT should always be run in normal boot mode unless specifically stated otherwise.
     
    chaslang, Nov 22, 2005
    #6
  7. wcdave

    wcdave Private E-2

    Yes, Level3 is the proxyserver used at my office.
     
    wcdave, Nov 22, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you do not want to remove it. Otherwise you will have to set it up each time you go into your office.
     
    chaslang, Nov 22, 2005
    #8
  9. wcdave

    wcdave Private E-2

    So far so good. No signs of the virus.

    Here's the latest HJT log.

    Thank you for your help.

    Dave
     

    Attached Files:

    wcdave, Nov 22, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 23, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds