Tech Support Forum - View Single Post - Trojan.Vundo -

sUBs · 10-08-2005, 02:12 PM

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose [Yes] at the Warning prompt.
Expand the [Tools] menu.
Click [Resident].
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
In the File menu click [Exit] to exit Spybot Search & Destroy.

We may need several passes before we can get Vundo out of the system

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop. Double-click on it to extract the files to a new folder on your desktop.

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
At the introductory screen, press <Enter> to proceed.
When asked to type in a filepath, please key this in:

C:\WINDOWS\system32\ssqrr.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next you will be asked to type in a second filepath.
At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\rrqss.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

The fix will run then HijackThis will open.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O1 - Hosts: 66.197.153.197 idenupdate.motorola.com #webjal auth
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\SYSTEM32\pmnno.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll

After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Once your machine reboots please post a new HJT log.
I need to ascertain whether you need another pass before we can proceed with the rest of the fix.

10-08-2005, 02:12 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,489 OS: N/A	While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose [Yes] at the Warning prompt. Expand the [Tools] menu. Click [Resident]. Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box. In the File menu click [Exit] to exit Spybot Search & Destroy. We may need several passes before we can get Vundo out of the system Please print these instructions out for use in Safe Mode. Please download VundoFix.exe to your desktop. Double-click on it to extract the files to a new folder on your desktop. Reboot your computer into Safe Mode. Restart your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat At the introductory screen, press <Enter> to proceed. When asked to type in a filepath, please key this in: C:\WINDOWS\system32\ssqrr.dll Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Next you will be asked to type in a second filepath. At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\rrqss.* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * The fix will run then HijackThis will open. In HiJackThis, please place a check next to the following items and click FIX CHECKED: O1 - Hosts: 66.197.153.197 idenupdate.motorola.com #webjal auth O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnno.dll O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ssqrr.dll O20 - Winlogon Notify: pmnno - C:\WINDOWS\SYSTEM32\pmnno.dll O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer. Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Once your machine reboots please post a new HJT log. I need to ascertain whether you need another pass before we can proceed with the rest of the fix. __________________ Question - what have you done for the community today?