trojan vundo in system 32

[Guest]

norton found trojan.vundo in system32\ssssjokr.dll and is unable to repair
and access denied i tried lippmans winfix scans in normal and safe mode they
find ssssjokr.dll but report unable to open file and no fix or removal
happens what am i doing wrong? bear in mind i'm not a computer all star here!

 

[Carey Frisch [MVP]]

You'll need to turn-off System Restore, reboot, then turn it back on.
The virus has infected your System Restore folder (system volume information).

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405&Product=winxp

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

-------------------------------------------------------------------------------------------

:

| norton found trojan.vundo in system32\ssssjokr.dll and is unable to repair
| and access denied i tried lippmans winfix scans in normal and safe mode they
| find ssssjokr.dll but report unable to open file and no fix or removal
| happens what am i doing wrong? bear in mind i'm not a computer all star here!
| --
| huch

 

[Ron Martell]

You'll need to turn-off System Restore, reboot, then turn it back on.
The virus has infected your System Restore folder (system volume information).

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405&Product=winxp

Bad advice.

Never repeat never turn off System Restore on an infected system,
unless and until it is absolutely proven that the only remnants of the
infection are contained in the system restore archives.

In this instance the infected file is in the \system32 folder so
turning off system restore will do diddly squat towards resolving the
issue.

Ron Martell Duncan B.C. Canada

 

[David H. Lipman]

From: "hucho" <[email protected]>

| norton found trojan.vundo in system32\ssssjokr.dll and is unable to repair
| and access denied i tried lippmans winfix scans in normal and safe mode they
| find ssssjokr.dll but report unable to open file and no fix or removal
| happens what am i doing wrong? bear in mind i'm not a computer all star here!
| --
| huch

Huch:

It's "Lipman"

You stated "...but report unable to open file and no fix or removal.."

My WinFixerFix tool in the McAfee scan mode does NOT report that kind of error.

Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply from the last scan.

I have updated the WinFixerFix tool to specifically handle the DLL you posted.
I suggest downloading the tool again. Here are the directions.


Two phase answer...

Perform Part 1 the perform part 2

Part 1
------------
Download Adware-Virtumundo Removal Tool v1.5 --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[Guest]

sorry mr lipman i wasn't quoting the report i just watched the scan run and
when it came to ssssjokr.dll it said unable to open file and continued on i
will try your suggestion thanks

 

[David H. Lipman]

From: "hucho" <[email protected]>

| sorry mr lipman i wasn't quoting the report i just watched the scan run and
| when it came to ssssjokr.dll it said unable to open file and continued on i
| will try your suggestion thanks

I'll watch for your reply.
Please don't forget...
Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your reply.

 

[Guest]

12/25/2005 01:55:03


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML
"C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 74349
Clean: ................. 74320
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:30.40
this is all i get in the report it still seems as if the scan cant look in
the system 32 file to check for virus
sorry for the lateness of this reply but som holliday stuff has gotten in
the way

 

[David H. Lipman]

From: "hucho" <[email protected]>

| 12/25/2005 01:55:03
|
| Options:
| /ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
| /PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML
| "C:\MCAFEE\SCANREPORT.HTML"
|
| Scanning C: []
| Scanning C:\*.*
|
| Summary report on C:\*.*
| File(s)
| Total files: ........... 74349
| Clean: ................. 74320
| Possibly Infected: ..... 0
| Cleaned: ............... 0
| Non-critical Error(s): 1
| Master Boot Record(s): ......... 1
| Possibly Infected: ..... 0
| Boot Sector(s): ................ 1
| Possibly Infected: ..... 0
|
| Time: 00:30.40
| this is all i get in the report it still seems as if the scan cant look in
| the system 32 file to check for virus
| sorry for the lateness of this reply but som holliday stuff has gotten in
| the way
|

It's a clean report. As long as youi are logged in as the "administrator" or with an
account with administrative rights it can scan *all* areas of the OS.

 

[Guest]

i am logged in as admin so is there a next step something else i can try?

 

[David H. Lipman]

From: "hucho" <[email protected]>

| i am logged in as admin so is there a next step something else i can try?
|

Are still having problems ?

No Vundo Trojan was noted in the McAfee report.

 

[Guest]

why is norton still finding trojan.vundo in sytem32 i still have a window up
on my screen that can't be closed all i can do is move it to a corner of
screen where its out of the way

 

[David H. Lipman]

From: "hucho" <[email protected]>

| why is norton still finding trojan.vundo in sytem32 i still have a window up
| on my screen that can't be closed all i can do is move it to a corner of
| screen where its out of the way

That's a good question. Please find the Norton log file and copy and paste the pertinent
information in your reply.

I want to see exactly what file (fully qualified name and path of the file) is being
declared to be infected by the Vundo trojan.

 

[Guest]

Source: C:\WINDOWS\system32\ssssjokr.dll
here's what i copied out of the norton log directly
huch

 

[David H. Lipman]

From: "hucho" <[email protected]>

| Source: C:\WINDOWS\system32\ssssjokr.dll
| here's what i copied out of the norton log directly
| huch
|


The Vundo do generates random names and "morphs" constantly. However, I updated the tool
Monday for that particular DLL and its removal.

I ask that you download the updated version of WinFixerFix again and use it once again.
This time it sould eliminate; C:\WINDOWS\system32\ssssjokr.dll

Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[Guest]

Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4660 created Dec 27 2005
Scanning for 167896 viruses, trojans and variants.


--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------



12/27/2005 17:12:38


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML
"C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\WINDOWS\desktop.html ... Found the AdClicker-AJ trojan !!!
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 74411
Clean: ................. 74381
Possibly Infected: ..... 1
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:24.23



--------------------------------------------------------------------------------
this was interesting as it found a trojan not before mentioned on any
reports from this scan or norton scans also i ran both in norm and safe modes
and watched the scan run carefully both times the norm mode did the usual
showing the files as they were scanning and placing unable to open file
messages after several files including ssssjokr.dll but when i ran in safe
mode it did much the same except when it came to ssssjokr.dll it ran right
past it without saying uable to open file but it didn' t seem to find the
trojan vundo I tried in both modes twice

 

[David H. Lipman]

From: "hucho" <[email protected]>


| this was interesting as it found a trojan not before mentioned on any
| reports from this scan or norton scans also i ran both in norm and safe modes
| and watched the scan run carefully both times the norm mode did the usual
| showing the files as they were scanning and placing unable to open file
| messages after several files including ssssjokr.dll but when i ran in safe
| mode it did much the same except when it came to ssssjokr.dll it ran right
| past it without saying uable to open file but it didn' t seem to find the
| trojan vundo I tried in both modes twice

I am confused by your answer.
Does NAV still report Trojan.Vundo in ssssjokr.dll ?

 

[Guest]

yep still have the unable to repair access denied notices on my screen that
can't be cleared

 

[David H. Lipman]

From: "hucho" <[email protected]>

| yep still have the unable to repair access denied notices on my screen that
| can't be cleared

This is confusing as a I have created a pseodo ssssjokr.dll file and tested the utility and
it does get removed.

Download Pocket KillBox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Extract Killbox.exe and execute it

In the Full Path of File to Delete box, type the entire following line exactly

C:\windows\SYSTEM32\ssssjokr.dll

Select; Replace on Reboot
put a check in the box "Use Dummy"
Click The Red circle and a white X
When prompted to Replace on Reboot, click YES
If prompted to Reboot Now, Click YES

Allow the PC to shutdown and then reboot into Safe Mode.

Run; c:\mcafee\clean.bat

 

[Guest]

it confuses me too i think i will have to bite the bullett and use the
reformat nuclear option unless you can think of anything else to try
thanx for your help anyway

 

[David H. Lipman]

From: "hucho" <[email protected]>

| it confuses me too i think i will have to bite the bullett and use the
| reformat nuclear option unless you can think of anything else to try
| thanx for your help anyway
|

One last thing.

Download and execute HiJack This! and then create a log file.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Please send me a copy of that log file via email.
To send me email remove ~nospam~ from [email protected]

Then post the HiJack This! log file in one of the below forums.

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }