Printable View
Hi!
AntiVir tells me that C:\WINDOWS\system32\nnnkijk.dll is the trojan horse TR/Vundo.Gen
I run HiJackThis and AVZ as explained in the 'tutorial'. I have added them to this thread.
I do not know what to do next. Please, help me. Thank you very much.
First of all, you should update database of avz (File/Database update).
Secondly, all logs you should make in normal mode , when all unnecessary programs are closed , and your browser (Internet explorer ) is still running. !Is that a problem to do this ?
Meantime,
please run AVZ, go to File - Custom scripts, copy the Code, paste it to Custom scripts window and Run the script.
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\temp\NavBrowser.exe','');
QuarantineFile('C:\Programme\TortoiseSVN\iconv\windows-1252.so','');
QuarantineFile('C:\WINDOWS\system32\nnnkijk.dll','');
BC_ImportQuarantineList;
BC_LogFile(GetAVZDirectory + 'boot_copy.log');
BC_Activate;
RebootWindows(true);
end.
[/code]
After that please upload quarantined file(s) according to the Rules.
Please use [url]http://virusinfo.info/upload_virus.php?tid=9477[/url] to upload.
P.S. I think, Antivir is correct ;) But still we would like to see your quarantined file(s) according to the Rules.
Thank you for your help! I have executed your script.
Unfortunately I do not understand Russian, so I hope that I uploaded the quarantined files correctly. If not, please let me know.
I have also updated the AVZ-Database. Should I make new logs and add them to this thread?
[B]Ok[/B] , nnnkijk.dll it is a bad thing :)
According to kaspersky , it is :not-a-virus:AdWare.Win32.Virtumonde.jf
Other 2 files , i think clean , but we will get an answer from kaspersky laboratory shortly ( i hope ).
Now, about healing your computer :we have here 2 options .It is up to you what option to choose !
[B]The First option [/B]is your antivirus.
[url=http://virusinfo.info/showthread.php?t=9282]Boot in safe mode [/url], scan all your disks with antivir and, choose option to delete a virus , when antivir will find [COLOR="black"][COLOR="Red"]nnnkijk.dll[/COLOR][/COLOR] .Reboot your PC after antivirus will finish to scan your computer.
[B]The second option :
[/B]
Please disconnect from the internet , [B]disable [/B]your antivir.
run AVZ, go to File - Custom scripts, copy the Code, paste it to Custom scripts window and Run the script.
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\WINDOWS\system32\nnnkijk.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_LogFile(GetAVZDirectory + 'boot_clr.log');
BC_Activate;
RebootWindows(true);
end.[/code]
---------------------------------------------------------------------------------------------
After execution option 1 or 2 (or both :))) )
Please do a new logs(all 3) (according to our rules) and please make sure not in the safe mode.
P.s. Sorry for my English :) I hope we will translate the uploading page shortly ;)
[QUOTE=CJb3LL;107787]Unfortunately I do not understand Russian[/QUOTE]
... but Your English is OK ;).
BTW: What language is Your native one?-it's only my own curiosity, you can ignore this question.
[QUOTE=drongo;107795]Ok , nnnkijk.dll it is a bad thing :) [/QUOTE]
Not [B]so[/B] bad. It could be worse :). It's only
[CODE][B]not-a-virus[/B]:AdWare.Win32.Virtumonde.jf[/CODE]
[QUOTE=drongo;107795][B]The First option [/B]is you antivir....
[/QUOTE]
Correct.:thumbsup: Bet just before scanning pls.
- [B]update[/B] the signatures of Antivir
- switch off the system recovery
- empty all temp-maps (a little help for it You'll receive from [URL="http://www.clearprog.de"]here[/URL])
It seems that option two worked. The file nnnkijk.dll is deleted and after a reboot no warning appears.
But I think it is better running a complete scan also?
Then I will generate the three log-files and add them to this thread.
@both: Your English is good.
@Rene-gad: My native language is German. I think, I read your tutorial in German, right?
Ok, cu later! And thank you again!
[QUOTE=CJb3LL;107801]But I think it is better running a complete scan also?[/QUOTE] Yepp!
[QUOTE]I think, I read your tutorial in German, right?[/QUOTE]
Rischtisch :D
Rene-gad needs a prize for such a perfect advertisement of our service. :)
Sorry for my late answer.
I run a complete scan and then I generated the logs in normal mode. I have added them to this thread.
I think the trojan horse has gone.
Thanks alot to all of you. You are a great team.
@CJb3LL
pls. fix with HiJackThis
[QUOTE]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9A072AA0-A30B-4717-A573-4511BB05F6AC} - C:\WINDOWS\system32\nnnkijk.dll (file missing)
O20 - Winlogon Notify: nnnkijk - nnnkijk.dll (file missing)[/QUOTE]
than make the new logs.
Yep, it is gone ( still, it wasn't a Trojan - it is more an advertising tool ;) )
Your computer deserve some cosmetic cleaning , in order to do that please fix these lines in Hijack This these two also, if you don't have those programs anymore:
[code]
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O18 - Protocol: haufereader - (no CLSID) - (no file)
[/code]
Ok, I fixed these five items. Now I will make the logs.
For now site :[url]www.aldi.com-[/url] it is your start page. Do you like to change it ?
This is just the startpage of my internet explorer, but normally I am using Firefox, so this is unimport which startpage is set in IE.
Fine :)
Here are the new logs as promised:
@CJb3LL
The logs don't show any sign of malware.
[QUOTE]Сегодня 01:58[/QUOTE]
It were better to sleep at this time ;).
It will be nice, if you will send a copy of this one (before that protect it with pass[B] virus [/B]in zip ): C:\Programme\SPSSEVAL\ProductRegistration.exe
directly to the creator of AVZ. You can find his mail in "about" @ avz.
[QUOTE]It were better to sleep at this time ;).[/QUOTE]
Yes, that's right ;-)
Ok, I have send the virus.zip of ProductRegistration.exe to the author of AVZ.