Winfixer and other spyware/virus problems

Summary: I have read and followed all procedures in the "Read & Run me first" and "Virtumonde aka Trojan Vundo Fix" posts. Note that I cannot boot into safe mode (symptoms detailed later in case that's important) so I powered down and physically disconnected from the network before running all procedures/scans. At this point I'm not sure if Winfixer has been eliminated - I haven't seen it since the last boot but I clearly have other problems so wanted to post anyway. Also, because other problems continue I have not bothered with disabling system restore.

System specs:
Windows XP Professional Service Pack 2 (build 2600)
Dell Dimension 8300 2.80 gigahertz Intel Pentium 4
c: (NTFS on drive 0) 79.95 GB 20.83 GB free
m: (NTFS on drive 1) 160.04 GB 126.38 GB free
1536 Megabytes Installed Memory
I have a Belarc advisor log I can supply on request.

Procedure results:
Uninstall Malware - removed 2 via add/remove programs
Ran cccleaner
MS Windows Malicious S/W removal tool found no problems.
Ad-aware - found and removed 17
Spybot - found 1 and fixed
Antispyware - found 2 adware, 1 trojan, 1 spyware
CWShredder - no issues found today but I ran this earlier in the week and it found CWS.MSCONFIG.
Kill2me - no symptoms so did not run
Note that I also ran Pest Patrol earlier this week - removed 12 entries, including several "Winfixer_2005 in registry" entries. Note I saw several Winfixer windows after this so it didn't fix anything.
Installed ie-spyad.
Possible symptom - throughout this I am booted normally but physically disconnected from the network. I must have had 15 or 20 dialog boxes - "Web page unavailable while offline. To view this page, click Connect." No indication which web page it was trying to open - not something I was doing.

Then rebooted normally to run the online scans. Some strange things that just started today after every normal boot. 1) A windows explorer window of c:\windows\systems32 opens every time I boot. 2) I get a dialog box "Caution: You are attempting to open a file of type 'Data Base file' (.db). These files are used by the operating system and by various programs. Editing or modifying them could damage your system. If you still want to open the file, click Open With, otherwise click cancel". Just for grins I clicked open with and the file it's trying to open is thumbs.db. Why that's giving me an error is beyond me - seems very innocuous.

Ran Bitdefender - identified several viruses that it could not disinfect. Log file attached (BitDefender Scan Report.txt).
Ran Panda ActiveScan - found 2 adware and 2 viruses. Log file attached (Activescan.txt). Note that one of the virus names (C:\WINDOWS\SYSTEM32\mlljj.dll) showed up again when I did the Trojan Vundo fix.
Ran and saved a HijackThis log.

At this point I got into msconfig and selected diagnostic boot. Powered down and physically disconnected from the network again and powered back up. (Safe mode no longer works for me.)
When I looked at the HijackThis log I found not one but 2 files that were listed in both the O2 and O20 sections: c:\windows\system32\jkkjg.dll and mlljj.dll. I ran the VundoFix procedure twice, once for each file, and the result was the same: "The process cannot access the file because it is being used by another process. Attempting to delete c:\windows\system32\jkkjg.dll (or mlljj.dll)."

I ran a new HijackThis log (attached). Both the files are still there. I haven't seen a Winfixer window since my last boot but it's only been 45 minutes .

In case this "used by another process" issue can't be fixed until I can get safe mode to work again, here is what happens when I boot into safe mode - it seems to hang partway through the login process.
Basic Dell bios load screen and then windows splash.
Black screen with "safe mode" in the 4 corners of the screen
Windows is starting up... screen
Login screen with all user accounts showing.
I log in as administrator or another account with admin privileges.
Loading personal settings screen.
Black screen with "safe mode" in the 4 corners.
Dialog box with "Windows is running in safe mode, etc." appears very briefly and then goes away. Quickly clicking yes doesn't make a difference.
Then nothing. I'm sitting with a black screen, safe mode in the 4 corners, MS Windows XP...SP2 on the top, a mouse cursor and nothing else. The only thing I can do is ctrl-alt-delete to get a task manager window or press "windows-key L", which presents me with a "Unlock Computer - this computer is in use and has been locked" window. If I use the same account I'm logged in to nothing happens - back to the same screen. If I choose another userid with admin privs I get "This will log off the current user". I choose OK and get back to the basic login screen with all user accounts showing.

Your help in getting my system cleaned up is greatly appreciated. Can you tell I have teenagers who like aim? Sigh. Thanks.

 

No can do. Norton shows quarantine as empty and the C:\Program Files\Norton AntiVirus\Quarantine folder referenced in the log is also empty except for two empty folders, one called Incoming and one called Portal. I have view hidden files and folders turned on so that's not it. Also, I'm in an account with administrator privileges.

 

Right off the bat I'm getting a message from process explorer: "Your account does not have the DEBUG privilege so Process Explorer will run with reduced capabilities." Since I see no file names under the threads tab at all so thought I'd check with you to see if I should continue with the hijackthis instructions or if you can tell me how to grant myself this debug privilege. I'm running from an account with admin privs.

 

One more thing - I was told iernonce is internet explorer run-once program that supposedly executes once after a reboot. ZoneAlarm was having fits with it a few months ago but then it stopped and I can't remember what I did. I'm not seeing the zone alarm alert any more but obviously you saw it somewhere. It's not anything that I should care about as far as I know.

 

Yes, I'm logged in to an administrator's account and will follow the procedure to grant it debug priv before I run process explorer again. I'll let you know how it goes tomorrow. Thanks much.

 

I don't use it. Also, I do not allow it access to the internet - I double checked ZoneAlarm and it's not there. So I assume it should be blown away.

I have the source code enabledebugprivandrun but since I'm not a developer I don't have a compiler. Just for grins I downloaded the free trial of Visual C++ from microsoft but I'm getting errors trying to compile and I don't know enough to fix it. Is there an already-compiled executable out there I can download and run?

 

Update:
I am now sometimes able to boot into safe mode. No idea why it started working although I did some cleanup today and among other things I found and removed a couple of unknown programs from my daughter's startup folder, cleaned up a couple of errors in my own account, etc. So far it only works if I use the Administrator account first, then log off and log in to my own, which has administrator privilege. I only use my own because I have some of the necessary tools on my desktop.

Bottom line, however, is that I still can't run KillVundo.bat. Even though I'm in safe mode I still get the same error - "The process cannot access the file because it is being used by another process. Attempting to delete c:\windows\system32\jkkjg.dll (or mlljj.dll)."

I guess something else is going on even though I'm in safe mode.

 

Process Explorer worked beautifully this time. Question - I'm about to fix the jkkjgt and mlljj lines in hijackthis (I'm on a different computer now) and notice that you did not include the second O2 - BHO line that referenced jkklg.dll. Should I fix that one as well or only the 3 listed?

For reference:
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\jkkjg.dll
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\system32\jkkjg.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\SYSTEM32\mlljj.dll

 

OK, the hjt part's done. Killbox question - delete temp files step. It probably wouldn't hurt anything but I'll ask anyway - should I delete all types of temp files (by default none are selected) including xp prefetch, cookies, etc. Also, should I delete them for all user profiles? I have nine - one for each of the four of us in the family plus Administrator, All Users, Default User, LocalService and NetworkService.

 

OK, I will delete all temps and prefetch for all 9 user profiles. Thanks.

 

All is done. I have attached the latest hjt log file. Looks like the two dll's are no longer there. ZoneAlarm had both jkkjg.dll and mlljj.dll on the program component lists with access so I've taken care of that, too.

Once I uplifted my privileges I had no issues with Process Explorer. I deleted several entries for each suspect dll, both in winlogin and explorer. No issues with killbox either - deleted temp files, unregistered the dll's and then deleted the various files you detailed below. It rebooted itself just fine. Along the way I also did a fix on iernonce.exe. This file did not exist but an iernonce dll did exist, which I've now deleted. I also reset my privileges to normal but will not disable/reenable system restore until you give me a clean bill of health.

I have no problem getting into safe mode now. I do see a couple of strange things however. If these are not spyware related and you want me to start a new thread in the software forum just say the word.

My own account still starts a c:\windows\system32 windows explorer window every time I log in. No one else's does that and this was not happening before I began this little journey. When I log off it seems to take an extraordinarily long time to save my settings (a minute or more). My husband and my daughter both get MS Antispyware messages talking about their default URL being changed and both get a message about requested changes to internet security. I'll give you detailed messages if you'd like but I'm not in front of that computer right now. I don't plan on keeping the antispyware program running all the time - I can tell already it's going to drive my crazy and is a bit of a hog - but will use if for periodic scans.

I will add more detail if needed after I review my notes and do more investigation tomorrow but for tonight I just wanted to get the hjt log file posted. Thanks and regards.

 

I noticed that I now have a c:\!Killbox folder that contains both of the malicious dll's plus gjkkj.ini and a hidden logs folder. OK to delete?

 

Generally speaking, pretty good. No sign of winfixer at all - THANKS! I still haven't fixed the system32 problem - I'm not seeing entries in the registry that seem to fit the scenario in the ms article. It also talks about deleting all the entries except the one required one for systray but that's one I don't have a all - confusing. Until I completely understand what I'm looking at I'm not changing anything.

While I was in there I noticed that I still have registry entries for viewpoint, which is what I deleted from add/remove programs after reviewing the malware list. I also have an entry for wildarcade that points to a folder that doesn't exist on my hard drive. Should I delete them?

Bitdefender is still showing a virus c:\program files\aim95\sysfiles\wxbug.exe but bitdefender can't delete it. I see that viewpoint.exe is sitting in the same folder even though I removed the application. I guess these are tagalongs from the aol instant messaging program my kids use. Any issues you know of with just blowing away those executables?

Did you see any other things I should attend to while reviewing my hjt log?

 

Here is the runkeys.txt attachment - thanks again.

 

Thanks for your help - I've worked through the "protect yourself" link now. The system32 fix didn't work - the windows still opens even though that registry entry is gone - but thanks anyway. I realize that's not a topic for this particular forum so I'll start a new thread elsewhere. Thanks again.