Secured2K, Question about your removal tool

Question

I used your removal tool. It appears to have worked. The only question that I have is that when the tool started running, my screen went blue. There was some type of message about a fatal error. I turned off the computer and turned it back on and everything seems to be working just fine and nothing was lost from my hard drive. Do you know why this happened? Is that normal? Also, your removal tool appears to have worked perfectly. I am no longer being alerted about the virus. Below is a report:   10/19/2005, 12:44:30 - Starting Process 10/19/2005, 12:44:30 - Looking for Browser Helper Object [MSEvents Object] 10/19/2005, 12:44:30 - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - 10/19/2005, 12:44:30 - 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class 10/19/2005, 12:44:30 - 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - 10/19/2005, 12:44:30 - 4: {52B1DFC7-AAFC-4362-B103-868B0683C697} - MSEvents Object 10/19/2005, 12:44:30 - Found MSEvents Object! 10/19/2005, 12:44:30 - File location: C:\WINDOWS\system32\jkklk.dll 10/19/2005, 12:44:30 - Attempting to kill C:\WINDOWS\system32\jkklk.dll 10/19/2005, 12:44:30 - Stopping McShield 10/19/2005, 12:44:30 - Killing rundll32 10/19/2005, 12:44:30 - Killing Internet Explorer 10/19/2005, 12:44:31 - Disabling Automatic Shell Restart 10/19/2005, 12:44:31 - Killing Explorer 10/19/2005, 12:44:31 - Suspending the NT Session Manager System Service 10/19/2005, 12:44:31 - Killing Winlogon 10/19/2005, 12:44:31 - Restoring Automatic Shell Restart 10/19/2005, 12:44:31 - Renaming C:\WINDOWS\system32\jkklk.dll -> C:\WINDOWS\system32\jkklk.dll.vir 10/19/2005, 12:44:31 - Removing Registry references to {52B1DFC7-AAFC-4362-B103-868B0683C697} 10/19/2005, 12:44:31 - Removing Winlogon Notify Entry (jkklk) 10/19/2005, 12:44:31 - BHO List has been changed! Restarting. 10/19/2005, 12:44:31 - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - 10/19/2005, 12:44:31 - 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class 10/19/2005, 12:44:31 - 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - 10/19/2005, 12:44:31 - 4: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess 10/19/2005, 12:44:31 - 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class 10/19/2005, 12:44:31 - 6: {BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class 10/19/2005, 12:44:31 - Finished searching for [MSEvents Object] 10/19/2005, 12:44:31 - Cleaning up... 10/19/2005, 12:44:31 - Setting Automatic Reboot on STOP Error. 10/19/2005, 12:44:31 - Attempting to Restart...   Thanks.

secured2k · Answer

This STOP error (Blue Screen Error) is normal.   The virus/trojan hooks into the Winlogon.exe process. In order to remove it, the Virtumundo tools have to kill that process which is responsible for handling logon and logoffs (and shutdowns). When the tool is done, it reactivates the NT Session Manager which notices WINLOGON is missing and it makes a STOP error.   The tool makes a registry change to allow the system to auto restart after this STOP error.   I could do more to kill just about every process on the system, but then users would have no way of shutting down the computer besides manually doing it.

Virus & Spyware

Was this post helpful?