A little help concerning VertuMonde Malware + Components

cjay554

OSNN Newbie
Joined
Feb 18, 2007
Messages
7
Solution for this problem is located at the bottom, note, This solution should only be used if ur anti-spyware cannot delete component by itself and u have tried multiple other ways.


Ok, so i got this annoying malware thing, i've found its main component, sstqn.dll, its in my system32 folder, i've tried to take it out, killbox, spybot, ad-aware, spyware doctor, kaspersky (kaspersky cant detect it ofcourse cuz its not a virus) anyway, i got the component, spyware doctor is picking up its traces as
Explorer.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
firefox.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
also...
Ad-Aware.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
HijackThis.exe (C:\WINDOWS\SYSTEM32\sstqn.dll)
but im running scans with those two so i kinda expect it to take them into consideration.
anyway, i can tell its inside my explorer.exe shell, and my firefox, but i cant delete it anyway, i tried also this Moveonboot program, that doesn't do anything
its gotta be either protected by some sort of other file somewhere i cant detect, OR windows is seriously not about to let that file be deleted.

Anyway, heres my HJT Log...


Logfile of HijackThis v1.99.1
Scan saved at 9:54:36 PM, on 2/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Chri\Desktop\Unused Desktop Shortcuts\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = %3clocal%3e:80
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\nkladoyw.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{690A2333-FFE2-43C2-90E8-6590F38C95D0}: NameServer = 192.168.1.2
O18 - Protocol: bw+0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {B10796BA-015B-4D8C-8471-816DC2A8187C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)



Apperantly with my research on google, i've seen alot of people take care of this Virtumonde Malware with no problem... but they also deleted different components and programs that were infected, i just got one little bastard component that wont delete, any help?
Any and all help will be deeply appreciated :)
sinse i've been wrestling with this thing for weeks now, and i could prolly learn a bit from this experience and be able to help others with similar problems.

PS. im really into network security :p
thats why im really interested when my computer gets infected somehow and i let myself try to figure it out before reaching for help, but in this case, im stumped.

Thank you :)
 
Last edited:

cjay554

OSNN Newbie
Joined
Feb 18, 2007
Messages
7
Ok forget the hole thing i figure it out,
here it is

Apperantly the sstqn.exe was binded with the WinLogon process, simple
went to safe mode
used KILLBOX to stop the winlogon service, and deleted,
when i did it without stoppin the process it said it cant be deleted, so, i started stoping one by one and tryin to delete the file, finally the little barstard got deleted! im not sure if thats the end of my problems (popups)
as it is not... apperantly just now a popup came up -.-''
ok! so i have a bit of a road ahead of me, i'll keep you guys updated

oh and hint, for future reference, remember if a file cant be deleted try stopping some processes
ALTHOUGH, some process may cause the BSOD, so be careful, just, keep a wise eye out :)
i think i might of damaged my system a bit by doing this... sooo im gna figure out what really happened

Pretty funny how as i posted my problem i figured it out huh? :/
it just hit me "why dont you take out a process and see?"
and when i did it and worked "Duh"

Ok it seems like im writting to myself here... anyway i found another problem, sinse i deleted the sstqn.dll and restarted...
my spyware doctor picked up another one... mlljh.dll... pretty much the same as sstqn.dll, same place, same thing, just dif name
argh, ok im gna figure this one,
One, there may be some other program on my comp that is replacing the missing component when i deleted it... cuz supposedly it was to find this one as well as sstqn.dll, but apperantly it only showed me one of them.. so i think these files are supporting each other, goin back and forth if one deleted, renew it... x.x'
i'll keep updating...

Ok heres what my TrendMicro Anti-spyware "venus Trap" found out...
some internet explorer pluggins! yay! -.-''
guess what their names are?
C:\WINDOWS\system32\sstqn.dll...

C:\WINDOWS\system32\mlljh.dll...

C:\WINDOWS\system32\gebbxyv.dll
C:\Docume~1\UserName\Locals~1\~DP2A.dll

C:\WINDOWS\system32\aatqr.dll

C:\WINDOWS\system32\awtqr.dll

C:\WINDOWS\system32\pyallfdx.dll

Im gna take a quick hint and say these are the files "support group"

and the little basterds are messing with my registry tools, giving me a restriction to disable ability to go into regedit... hah how i love the ways of viruses ^_^
smart little bastards...
TIME TO DELETE! :D

Note: U must take out the Winlogon process from safe mode, in normal startup it will restart ur computer to take out the process, or at least it did for me

Ok so this is turning out to be one hell of a trip, im done for tonight i'll update so far,
i deleted the mlljh.dll + gebbxyv.dll, sinse i was only able to find those, the other aatqr.dll didnt exist.. not sure why... but i deleted these the same way

NOTE!
When u take out the Winlogon process make sure u take the smss.exe as well, for some reason it only stays logged in when both are taken out, at the same time, if u just take out winlogon comp will restart, and if u do smss.exe first, then pause, then take out winlogon it will still restart... i have no idea how...
ANYWAY!
i deleted the two files with killbox after taking out the process, and so far, my scans have not shown any "Virtumonde" malware anywhere ^_^
although i am in the middle of the scan.. and im sleepy... but i shall update tomorow!
See how crazy i get when it comes to viruses, i seem to forget about sleep >.>'
anyway, i shall update, goodnight
 
Last edited by a moderator:

cjay554

OSNN Newbie
Joined
Feb 18, 2007
Messages
7
WARNING: Getting rid of these components MAY be a HAZARD to the system, I have gotten the BSOD a few times... not sure if it is from this or not, i am currently fixing it with System Mechanic 6... Be Aware Of The "Casualties"
To me, it was worth getting off, that thing was pissing me off and slowing my comp to a snail.


Okay! its done, i finished it all.
With a minor set back...
The files, C:/WINDOWS/system32/sstqn.dll
C:/WINDOWS/system32/mlljh.dll
C:/WINDOWS/system32/gebbxyv.dll
and others listed that may be a part of it (i didnt find anytrace of thses)
C:\Docume~1\UserName\Locals~1\~DP2A.dll
C:\WINDOWS\system32\aatqr.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\pyallfdx.dll

I deleted these files as followed...

1. Began Windows in Safe Mode
2. Loged In as Admin
3. Had a Program called KillBot
4. Opened KillBot
5. Used a program to Scan my system
6. Tried deleting the files listed normally, and with killbot
7. If not able to (in my case) i took out the process "smss.exe" and "winlogon.exe"
8. Then deleted the files sstqn.dll, mlljh.dll, and gebbxyv.dll
9. Windows will not allow restart after WinLogon is terminated, for the reason that WinLogon, as it names states, is the main component in logging in and out of Windows.
10. I used KillBot's Force Reboot to restart comp
11. Started in normal boot, scanned pc for malware (using Spyware Doctor)
12. No malware found, also it didnt show any separate malware that "VirtuMonde" downloads from web.

And thats all she wrote! do comment if you found this unseful in any way =]
and if you have a setback somewhere or any more info, please do comment and state it, this little bugger was tricky, but it did open up how to get it off and maybe a million other ones.
 
Last edited:

cjay554

OSNN Newbie
Joined
Feb 18, 2007
Messages
7
Oh and a note, the file rundll32.exe was deleted in the process.. not sure if it was due to the virus or my mistake, although i dont recall deleting it,
this file is mainly for system operations:
security center
add remove hardware/software
system settings
etc.
when its deleted the OS states the program cannot find rundll32.exe
remember the 32** in the name,
look for a site to reinstall the component, ez fix
 

Members online

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Hey ep!

All good with me, applying for microsoft mvp right now, should have done this a while ago.

Notifications don't work, I only found your response by comming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier, mine is perriscalderon at gmail
Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...

Forum statistics

Threads
61,980
Messages
673,312
Members
89,034
Latest member
2mytru