A little help concerning VertuMonde Malware + Components

Discussion in 'Windows Desktop Systems' started by cjay554, Feb 25, 2007.

  1. cjay554

    cjay554 OSNN One Post Wonder

    Messages:
    7
    Solution for this problem is located at the bottom, note, This solution should only be used if ur anti-spyware cannot delete component by itself and u have tried multiple other ways.


    Ok, so i got this annoying malware thing, i've found its main component, sstqn.dll, its in my system32 folder, i've tried to take it out, killbox, spybot, ad-aware, spyware doctor, kaspersky (kaspersky cant detect it ofcourse cuz its not a virus) anyway, i got the component, spyware doctor is picking up its traces as
    Explorer.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
    firefox.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
    also...
    Ad-Aware.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
    HijackThis.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
    but im running scans with those two so i kinda expect it to take them into consideration.
    anyway, i can tell its inside my explorer.exe shell, and my firefox, but i cant delete it anyway, i tried also this Moveonboot program, that doesn't do anything
    its gotta be either protected by some sort of other file somewhere i cant detect, OR windows is seriously not about to let that file be deleted.

    Anyway, heres my HJT Log...


    Logfile of HijackThis v1.99.1
    Scan saved at 9:54:36 PM, on 2/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Documents and Settings\Chri\Desktop\Unused Desktop Shortcuts\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = %3clocal%3e:80
    O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\nkladoyw.dll",setvm
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{690A2333-FFE2-43C2-90E8-6590F38C95D0}: NameServer = 192.168.1.2
    O18 - Protocol: bw+0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe (file missing)
    O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)



    Apperantly with my research on google, i've seen alot of people take care of this Virtumonde Malware with no problem... but they also deleted different components and programs that were infected, i just got one little bastard component that wont delete, any help?
    Any and all help will be deeply appreciated :)
    sinse i've been wrestling with this thing for weeks now, and i could prolly learn a bit from this experience and be able to help others with similar problems.

    PS. im really into network security :p
    thats why im really interested when my computer gets infected somehow and i let myself try to figure it out before reaching for help, but in this case, im stumped.

    Thank you :)
     
    Last edited: Feb 25, 2007
  2. cjay554

    cjay554 OSNN One Post Wonder

    Messages:
    7
    Ok forget the hole thing i figure it out,
    here it is

    Apperantly the sstqn.exe was binded with the WinLogon process, simple
    went to safe mode
    used KILLBOX to stop the winlogon service, and deleted,
    when i did it without stoppin the process it said it cant be deleted, so, i started stoping one by one and tryin to delete the file, finally the little barstard got deleted! im not sure if thats the end of my problems (popups)
    as it is not... apperantly just now a popup came up -.-''
    ok! so i have a bit of a road ahead of me, i'll keep you guys updated

    oh and hint, for future reference, remember if a file cant be deleted try stopping some processes
    ALTHOUGH, some process may cause the BSOD, so be careful, just, keep a wise eye out :)
    i think i might of damaged my system a bit by doing this... sooo im gna figure out what really happened

    Pretty funny how as i posted my problem i figured it out huh? :/
    it just hit me "why dont you take out a process and see?"
    and when i did it and worked "Duh"

    Ok it seems like im writting to myself here... anyway i found another problem, sinse i deleted the sstqn.dll and restarted...
    my spyware doctor picked up another one... mlljh.dll... pretty much the same as sstqn.dll, same place, same thing, just dif name
    argh, ok im gna figure this one,
    One, there may be some other program on my comp that is replacing the missing component when i deleted it... cuz supposedly it was to find this one as well as sstqn.dll, but apperantly it only showed me one of them.. so i think these files are supporting each other, goin back and forth if one deleted, renew it... x.x'
    i'll keep updating...

    Ok heres what my TrendMicro Anti-spyware "venus Trap" found out...
    some internet explorer pluggins! yay! -.-''
    guess what their names are?
    C:\WINDOWS\system32\sstqn.dll...

    C:\WINDOWS\system32\mlljh.dll...

    C:\WINDOWS\system32\gebbxyv.dll
    C:\Docume~1\UserName\Locals~1\~DP2A.dll

    C:\WINDOWS\system32\aatqr.dll

    C:\WINDOWS\system32\awtqr.dll

    C:\WINDOWS\system32\pyallfdx.dll

    Im gna take a quick hint and say these are the files "support group"

    and the little basterds are messing with my registry tools, giving me a restriction to disable ability to go into regedit... hah how i love the ways of viruses ^_^
    smart little bastards...
    TIME TO DELETE! :D

    Note: U must take out the Winlogon process from safe mode, in normal startup it will restart ur computer to take out the process, or at least it did for me

    Ok so this is turning out to be one hell of a trip, im done for tonight i'll update so far,
    i deleted the mlljh.dll + gebbxyv.dll, sinse i was only able to find those, the other aatqr.dll didnt exist.. not sure why... but i deleted these the same way

    NOTE!
    When u take out the Winlogon process make sure u take the smss.exe as well, for some reason it only stays logged in when both are taken out, at the same time, if u just take out winlogon comp will restart, and if u do smss.exe first, then pause, then take out winlogon it will still restart... i have no idea how...
    ANYWAY!
    i deleted the two files with killbox after taking out the process, and so far, my scans have not shown any "Virtumonde" malware anywhere ^_^
    although i am in the middle of the scan.. and im sleepy... but i shall update tomorow!
    See how crazy i get when it comes to viruses, i seem to forget about sleep >.>'
    anyway, i shall update, goodnight
     
    Last edited by a moderator: Feb 25, 2007
  3. cjay554

    cjay554 OSNN One Post Wonder

    Messages:
    7
    WARNING: Getting rid of these components MAY be a HAZARD to the system, I have gotten the BSOD a few times... not sure if it is from this or not, i am currently fixing it with System Mechanic 6... Be Aware Of The "Casualties"
    To me, it was worth getting off, that thing was pissing me off and slowing my comp to a snail.


    Okay! its done, i finished it all.
    With a minor set back...
    The files, C:/WINDOWS/system32/sstqn.dll
    C:/WINDOWS/system32/mlljh.dll
    C:/WINDOWS/system32/gebbxyv.dll
    and others listed that may be a part of it (i didnt find anytrace of thses)
    C:\Docume~1\UserName\Locals~1\~DP2A.dll
    C:\WINDOWS\system32\aatqr.dll
    C:\WINDOWS\system32\awtqr.dll
    C:\WINDOWS\system32\pyallfdx.dll

    I deleted these files as followed...

    1. Began Windows in Safe Mode
    2. Loged In as Admin
    3. Had a Program called KillBot
    4. Opened KillBot
    5. Used a program to Scan my system
    6. Tried deleting the files listed normally, and with killbot
    7. If not able to (in my case) i took out the process "smss.exe" and "winlogon.exe"
    8. Then deleted the files sstqn.dll, mlljh.dll, and gebbxyv.dll
    9. Windows will not allow restart after WinLogon is terminated, for the reason that WinLogon, as it names states, is the main component in logging in and out of Windows.
    10. I used KillBot's Force Reboot to restart comp
    11. Started in normal boot, scanned pc for malware (using Spyware Doctor)
    12. No malware found, also it didnt show any separate malware that "VirtuMonde" downloads from web.

    And thats all she wrote! do comment if you found this unseful in any way =]
    and if you have a setback somewhere or any more info, please do comment and state it, this little bugger was tricky, but it did open up how to get it off and maybe a million other ones.
     
    Last edited: Feb 25, 2007
  4. cjay554

    cjay554 OSNN One Post Wonder

    Messages:
    7
    Oh and a note, the file rundll32.exe was deleted in the process.. not sure if it was due to the virus or my mistake, although i dont recall deleting it,
    this file is mainly for system operations:
    security center
    add remove hardware/software
    system settings
    etc.
    when its deleted the OS states the program cannot find rundll32.exe
    remember the 32** in the name,
    look for a site to reinstall the component, ez fix