Trouble removing Trojan.Vundho.H on Windows 2003

Welcome to Major Geeks!

You skipped the first scan we asked you to run. Please run SUPERAntispyware as requested and attach the log from it.


Now let's continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Continue by downloading another tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
hgGyaBQg.dll
qoMdEXqn.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
hgGyaBQg.dll
qoMdEXqn.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on mdm.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
hgGyaBQg.dll
qoMdEXqn.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Next double click on lsass.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
hgGyaBQg.dll
qoMdEXqn.dll

After you have killed all instances of any of the above DLLs under lsass.exe click ok.
(If you do not find these DLLS, just continue on.)

Next double click on firefox.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
hgGyaBQg.dll
qoMdEXqn.dll

After you have killed all instances of any of the above DLLs under firefox.exe click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {619C0805-12A6-412A-86B4-059FE2A073CB} - C:\WINDOWS\system32\hgGyaBQg.dll
O2 - BHO: (no name) - {9AD7FC7F-1FE1-4414-9AC5-EC51457528E4} - C:\WINDOWS\system32\qoMdEXqn.dll
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: qoMdEXqn - C:\WINDOWS\SYSTEM32\qoMdEXqn.dll

After clicking Fix, exit HJT.



Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.


Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\bmrdwrrh.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\cphdtpmx.exe
C:\WINDOWS\system32\gvmgrt.dll
C:\WINDOWS\system32\hgGyaBQg.dll
C:\WINDOWS\system32\idsaju.dll
C:\WINDOWS\system32\kqfixo.dll
C:\WINDOWS\system32\qoMdEXqn.dll
C:\WINDOWS\system32\qqnidr.dll
C:\WINDOWS\system32\qrkrdm.dll
C:\WINDOWS\system32\qspijw.dll
C:\WINDOWS\system32\rmwxzq.dll
C:\WINDOWS\system32\sbbkhj.dll
C:\WINDOWS\system32\tnblus.dll
C:\WINDOWS\system32\ysavvz.dll
C:\WINDOWS\system32\anggmpys.ini
C:\WINDOWS\system32\beawuhvg.ini
C:\WINDOWS\system32\dhnmvkmm.ini
C:\WINDOWS\system32\dwihcwqb.ini
C:\WINDOWS\system32\geovtecl.ini
C:\WINDOWS\system32\gQBayGgh.ini
C:\WINDOWS\system32\gQBayGgh.ini2
C:\WINDOWS\system32\kngrerso.ini
C:\WINDOWS\system32\myviraoa.ini
C:\WINDOWS\system32\ogeorshr.ini
C:\WINDOWS\system32\paqsvaeu.ini
C:\WINDOWS\system32\snsubeng.ini
C:\WINDOWS\system32\tfrugpyo.ini
C:\WINDOWS\system32\yuojfjwn.ini
C:\WINDOWS\Temp\WFV1.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\WFV7A3.tmp

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot right click Start and select Explore to bring up Windows Explorer. Use it to find all of the above files we had Killbox attempt to delete. If you still see them, delete them yourself.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!