TechSpot

Abebot Spyware.

By jetpilot12
Mar 29, 2008
  1. Anybody want to help me get rid of this damn spyware?
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Hello jetpilot12, and welcome to the forums.

    My name is kritius and I'll be glad to help you with your malware and virus problems.

    First you must understand that working a HijackThis log can take some time to research, so please be patient. I know that you need
    your computer working as quickly as possible, and I will work hard to help see that happen.

    Please be patient and I'd be grateful if you would note the following:
    • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for this issue on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.

    The first thing that I need you to do for me is to download and install HijackThis for me,

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log in your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

    Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.

    If you have any problems or questions then please post back.

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    I tried doing what you did for 549omaha
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Fixes are posted for specific problems everything is different, what exactly did you do?
     
  5. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    I did what you told 549Omaha to do, because I had the same problem as him.

    I got to the point of Kaspersky Online Scanner
     
  6. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    And how do you send the log file?
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Yes while you might have had the same problem, the fixes I wrote will have been tailored for his pc.

    Post the HijackThis log and kaspersky scan as an attachment, (see how here)
     
  8. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    Here's the attachment
     
  9. kritius

    kritius TS Guru Posts: 2,084

    P2P Warning!

    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    Ares

    While yours is listed as a clean program please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
    Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
    http://www.techweb.com/wire/160500554
    http://www.internetworldstats.com/articles/art053.htm
    See Clean/Infected P2P Programs here

    If you wish to keep it, please do not use it until your computer is cleaned.

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    You should get a firewall as well, either, these firewalls are all free,

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below

      R3 - Default URLSearchHook is missing
      O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\byXQGyxw.dll
      O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS\IECodecPlg.dll
      O2 - BHO: (no name) - {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} - C:\WINDOWS\system32\opnkiGWM.dll
      O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
      O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
      O20 - Winlogon Notify: byXQGyxw - C:\WINDOWS\SYSTEM32\byXQGyxw.dll

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Delete Files and Folders
    • Right Click on the start button and chose explore
    • Show all hidden files and folders, see how HERE
    • Navigate to the following files and folders and delete them(if still present)
    C:\WINDOWS\SYSTEM32\byXQGyxw.dll<---------This File

    • Empty the recycle bin.
    If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
    ***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    In your next post you should include,
    1) VundoFix log
    2) Fresh HijackThis log
    3) Firewall installed
    4) How is the computer running now.


    This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    It won't let me delete the file

    C:\WINDOWS\system32\byXQGyxw.dll

    What should I do?

    Everytime I go to delete it it comes up as the file is being used by another application. For some weird reason my taskbar has been shut off by the administrator.
     
  11. kritius

    kritius TS Guru Posts: 2,084

    Download RatsCheddar.zip
    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.


    Delete Files on Reboot
    • Start Hijackthis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the button labeled Delete a file on reboot...
    • A new window will open asking you to select the file that you would like to delete on reboot.
    • Navigate to each file and click on it once, and then click on the Open button.
    C:\WINDOWS\system32\byXQGyxw.dll
    • You will now be asked if you would like to reboot your computer to delete the file.
    • Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.


    This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    Hey I will send you another log report on the files I deleted the ones you told me too, but they seem that they came back,

    Did the malicious files come back?


    And I did what you told me to do, and yet again the file

    C:\WINDOWS\system32\byXQGyxw.dll

    Still can't be deleted.
     
  13. kritius

    kritius TS Guru Posts: 2,084

    What about VundoFix? Did that find anything?

    If not try this,

    Please Download VirtumundoBeGone by secured2k
    • Save the file to your desktop
    • Close all running programs (including your Internet Browser)
    • Double-click VirtumundoBeGone.exe on the desktop
    • Read the introductory information, and then click Continue
    • Click Start
    • When asked if you want to continue, click Yes to run the fix
    • Click "Save Log"

    Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

    The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

    Empty Recycle Bin.

    Reboot and attach a new HijackThis log file along with the VBG.TXT into this thread.
    Also please describe how your computer behaves at the moment.
     
  14. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    Vundofix didn't find anything...
    and the link to VirtunmundoBeGone is broken.
     
  15. kritius

    kritius TS Guru Posts: 2,084

    And virtmundobegone?
     
  16. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    And the link to virtmundobegone seems to be broken.

    it's that dam file that's not wanting to be deleted, did you check my log I sent you?

    C:\WINDOWS\system32\byXQGyxw.dll<----- That file is pisting me off.
     
  17. kritius

    kritius TS Guru Posts: 2,084

    try HERE

    Its definitely a vundo infection, if vundofix didnt catch it then this should.

    also

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  18. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    I think VirtumundoBeGone did something, I don't know what it did exactly but I know it did something. I will attach the log.

    I can't attach it so I will paste it:


    [03/30/2008, 11:40:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
    [03/30/2008, 11:40:30] - Detected System Information:
    [03/30/2008, 11:40:30] - Windows Version: 5.1.2600, Service Pack 2
    [03/30/2008, 11:40:30] - Current Username: Owner (Admin)
    [03/30/2008, 11:40:30] - Windows is in NORMAL mode.
    [03/30/2008, 11:40:30] - Searching for Browser Helper Objects:
    [03/30/2008, 11:40:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [03/30/2008, 11:40:30] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [03/30/2008, 11:40:30] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
    [03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
    [03/30/2008, 11:40:30] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
    [03/30/2008, 11:40:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/30/2008, 11:40:30] - BHO 5: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} ()
    [03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\byXQGyxw
    [03/30/2008, 11:40:30] - Found: HKLM\...\Winlogon\Notify\byXQGyxw - This is probably Virtumundo.
    [03/30/2008, 11:40:30] - Assigning {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} MSEvents Object
    [03/30/2008, 11:40:30] - BHO list has been changed! Starting over...
    [03/30/2008, 11:40:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [03/30/2008, 11:40:30] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [03/30/2008, 11:40:30] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
    [03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
    [03/30/2008, 11:40:30] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
    [03/30/2008, 11:40:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/30/2008, 11:40:30] - BHO 5: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} (MSEvents Object)
    [03/30/2008, 11:40:30] - ALERT: Found MSEvents Object!
    [03/30/2008, 11:40:30] - BHO 6: {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} ()
    [03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:30] - No filename found. Continuing.
    [03/30/2008, 11:40:30] - BHO 7: {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} ()
    [03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:30] - No filename found. Continuing.
    [03/30/2008, 11:40:30] - BHO 8: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} ()
    [03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:30] - No filename found. Continuing.
    [03/30/2008, 11:40:30] - Finished Searching Browser Helper Objects
    [03/30/2008, 11:40:30] - *** Detected MSEvents Object
    [03/30/2008, 11:40:30] - Trying to remove MSEvents Object...
    [03/30/2008, 11:40:31] - Terminating Process: IEXPLORE.EXE
    [03/30/2008, 11:40:32] - Terminating Process: RUNDLL32.EXE
    [03/30/2008, 11:40:34] - Disabling Automatic Shell Restart
    [03/30/2008, 11:40:34] - Terminating Process: EXPLORER.EXE
    [03/30/2008, 11:40:35] - Suspending the NT Session Manager System Service
    [03/30/2008, 11:40:35] - Terminating Windows NT Logon/Logoff Manager
    [03/30/2008, 11:40:35] - Re-enabling Automatic Shell Restart
    [03/30/2008, 11:40:35] - File to disable: C:\WINDOWS\system32\byXQGyxw.dll
    [03/30/2008, 11:40:35] - Renaming C:\WINDOWS\system32\byXQGyxw.dll -> C:\WINDOWS\system32\byXQGyxw.dll.vir
    [03/30/2008, 11:40:36] - File successfully renamed!
    [03/30/2008, 11:40:36] - Removing HKLM\...\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
    [03/30/2008, 11:40:36] - Removing HKCR\CLSID\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
    [03/30/2008, 11:40:37] - Adding Kill Bit for ActiveX for GUID: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
    [03/30/2008, 11:40:37] - Deleting ATLEvents/MSEvents Registry entries
    [03/30/2008, 11:40:37] - Removing HKLM\...\Winlogon\Notify\byXQGyxw
    [03/30/2008, 11:40:37] - Searching for Browser Helper Objects:
    [03/30/2008, 11:40:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [03/30/2008, 11:40:37] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [03/30/2008, 11:40:37] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
    [03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:37] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
    [03/30/2008, 11:40:37] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
    [03/30/2008, 11:40:37] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/30/2008, 11:40:37] - BHO 5: {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} ()
    [03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:37] - No filename found. Continuing.
    [03/30/2008, 11:40:37] - BHO 6: {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} ()
    [03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:37] - No filename found. Continuing.
    [03/30/2008, 11:40:37] - BHO 7: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} ()
    [03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/30/2008, 11:40:37] - No filename found. Continuing.
    [03/30/2008, 11:40:37] - Finished Searching Browser Helper Objects
    [03/30/2008, 11:40:37] - Finishing up...
    [03/30/2008, 11:40:37] - A restart is needed.
    [03/30/2008, 11:40:48] - Attempting to Restart via STOP error (Blue Screen!)
     
  19. kritius

    kritius TS Guru Posts: 2,084

    Ok then, delete all the attachments you have previously used and then attach a new HijackThis log for me.
     
  20. jetpilot12

    jetpilot12 TS Rookie Topic Starter

    Alright here is the log after the anti-malware scan and removal was completed as well as the vundofix.
     
  21. iwantacookie

    iwantacookie TS Rookie

    made a new thread
     
  22. kritius

    kritius TS Guru Posts: 2,084

    Ok then, that worked well,

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    P2P PROGRAMS

    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    Ares

    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    Also available here.

    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

    If you wish to keep them, please do not use them until your computer is cleaned.

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • attach the report in your next post.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...