jetpilot12
Posts: 11 +0
Anybody want to help me get rid of this damn spyware?
Abebot Spyware.
- Thread starter jetpilot12
- Start date
- Status
kritius
Posts: 2,077 +0
Hello jetpilot12, and welcome to the forums.
My name is kritius and I'll be glad to help you with your malware and virus problems.
First you must understand that working a HijackThis log can take some time to research, so please be patient. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.
Please be patient and I'd be grateful if you would note the following:
The first thing that I need you to do for me is to download and install HijackThis for me,
Highjackthis Instructions
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.
If you have any problems or questions then please post back.
Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
My name is kritius and I'll be glad to help you with your malware and virus problems.
First you must understand that working a HijackThis log can take some time to research, so please be patient. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.
Please be patient and I'd be grateful if you would note the following:
- I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine.
- Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
- It's often worth reading through these instructions and printing them for ease of reference.
- If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
- Please reply to this thread. Do not start a new topic.
The first thing that I need you to do for me is to download and install HijackThis for me,
Highjackthis Instructions
- Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
- Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
- After installing, the program launches automatically, select Scan now and save a log
- After the scan is complete attach the log in your reply.
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.
If you have any problems or questions then please post back.
Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform full scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please attach the log into your next reply.
- If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
jetpilot12
Posts: 11 +0
I tried doing what you did for 549omaha
jetpilot12
Posts: 11 +0
I did what you told 549Omaha to do, because I had the same problem as him.
I got to the point of Kaspersky Online Scanner
I got to the point of Kaspersky Online Scanner
jetpilot12
Posts: 11 +0
And how do you send the log file?
kritius
Posts: 2,077 +0
Yes while you might have had the same problem, the fixes I wrote will have been tailored for his pc.
Post the HijackThis log and kaspersky scan as an attachment, (see how here)
Post the HijackThis log and kaspersky scan as an attachment, (see how here)
jetpilot12
Posts: 11 +0
Here's the attachment
kritius
Posts: 2,077 +0
P2P Warning!
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Ares
While yours is listed as a clean program please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here
If you wish to keep it, please do not use it until your computer is cleaned.
Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
You should get a firewall as well, either, these firewalls are all free,
Fix entries using HiJackThis
Delete Files and Folders
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***
Please download VundoFix.exe to your desktop.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
In your next post you should include,
1) VundoFix log
2) Fresh HijackThis log
3) Firewall installed
4) How is the computer running now.
This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Ares
While yours is listed as a clean program please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here
If you wish to keep it, please do not use it until your computer is cleaned.
Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
You should get a firewall as well, either, these firewalls are all free,
Fix entries using HiJackThis
- Launch HiJackThis
- Click the Do a system scan only button
- Put a check next to the entries listed below
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\byXQGyxw.dll
O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS\IECodecPlg.dll
O2 - BHO: (no name) - {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} - C:\WINDOWS\system32\opnkiGWM.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
O20 - Winlogon Notify: byXQGyxw - C:\WINDOWS\SYSTEM32\byXQGyxw.dll
- IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
- Click the Fix checked button and close HiJackThis
- Reboot HijackThis if necessary
Delete Files and Folders
- Right Click on the start button and chose explore
- Show all hidden files and folders, see how HERE
- Navigate to the following files and folders and delete them(if still present)
- Empty the recycle bin.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***
Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
In your next post you should include,
1) VundoFix log
2) Fresh HijackThis log
3) Firewall installed
4) How is the computer running now.
This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
jetpilot12
Posts: 11 +0
It won't let me delete the file
C:\WINDOWS\system32\byXQGyxw.dll
What should I do?
Everytime I go to delete it it comes up as the file is being used by another application. For some weird reason my taskbar has been shut off by the administrator.
C:\WINDOWS\system32\byXQGyxw.dll
What should I do?
Everytime I go to delete it it comes up as the file is being used by another application. For some weird reason my taskbar has been shut off by the administrator.
kritius
Posts: 2,077 +0
Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.
Delete Files on Reboot
This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.
Delete Files on Reboot
- Start Hijackthis
- Click on the Config button
- Click on the Misc Tools button
- Click on the button labeled Delete a file on reboot...
- A new window will open asking you to select the file that you would like to delete on reboot.
- Navigate to each file and click on it once, and then click on the Open button.
- You will now be asked if you would like to reboot your computer to delete the file.
- Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.
This thread is for the use of jetpilot12 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
jetpilot12
Posts: 11 +0
Hey I will send you another log report on the files I deleted the ones you told me too, but they seem that they came back,
Did the malicious files come back?
And I did what you told me to do, and yet again the file
C:\WINDOWS\system32\byXQGyxw.dll
Still can't be deleted.
Did the malicious files come back?
And I did what you told me to do, and yet again the file
C:\WINDOWS\system32\byXQGyxw.dll
Still can't be deleted.
kritius
Posts: 2,077 +0
What about VundoFix? Did that find anything?
If not try this,
Please Download VirtumundoBeGone by secured2k
Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.
The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.
Empty Recycle Bin.
Reboot and attach a new HijackThis log file along with the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.
If not try this,
Please Download VirtumundoBeGone by secured2k
- Save the file to your desktop
- Close all running programs (including your Internet Browser)
- Double-click VirtumundoBeGone.exe on the desktop
- Read the introductory information, and then click Continue
- Click Start
- When asked if you want to continue, click Yes to run the fix
- Click "Save Log"
Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.
The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.
Empty Recycle Bin.
Reboot and attach a new HijackThis log file along with the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.
jetpilot12
Posts: 11 +0
Vundofix didn't find anything...
and the link to VirtunmundoBeGone is broken.
and the link to VirtunmundoBeGone is broken.
jetpilot12
Posts: 11 +0
And the link to virtmundobegone seems to be broken.
it's that dam file that's not wanting to be deleted, did you check my log I sent you?
C:\WINDOWS\system32\byXQGyxw.dll<----- That file is pisting me off.
it's that dam file that's not wanting to be deleted, did you check my log I sent you?
C:\WINDOWS\system32\byXQGyxw.dll<----- That file is pisting me off.
kritius
Posts: 2,077 +0
try HERE
Its definitely a vundo infection, if vundofix didnt catch it then this should.
also
Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
Its definitely a vundo infection, if vundofix didnt catch it then this should.
also
Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform full scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please attach the log into your next reply.
- If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
jetpilot12
Posts: 11 +0
I think VirtumundoBeGone did something, I don't know what it did exactly but I know it did something. I will attach the log.
I can't attach it so I will paste it:
[03/30/2008, 11:40:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[03/30/2008, 11:40:30] - Detected System Information:
[03/30/2008, 11:40:30] - Windows Version: 5.1.2600, Service Pack 2
[03/30/2008, 11:40:30] - Current Username: Owner (Admin)
[03/30/2008, 11:40:30] - Windows is in NORMAL mode.
[03/30/2008, 11:40:30] - Searching for Browser Helper Objects:
[03/30/2008, 11:40:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/30/2008, 11:40:30] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/30/2008, 11:40:30] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
[03/30/2008, 11:40:30] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
[03/30/2008, 11:40:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/30/2008, 11:40:30] - BHO 5: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\byXQGyxw
[03/30/2008, 11:40:30] - Found: HKLM\...\Winlogon\Notify\byXQGyxw - This is probably Virtumundo.
[03/30/2008, 11:40:30] - Assigning {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} MSEvents Object
[03/30/2008, 11:40:30] - BHO list has been changed! Starting over...
[03/30/2008, 11:40:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/30/2008, 11:40:30] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/30/2008, 11:40:30] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
[03/30/2008, 11:40:30] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
[03/30/2008, 11:40:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/30/2008, 11:40:30] - BHO 5: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} (MSEvents Object)
[03/30/2008, 11:40:30] - ALERT: Found MSEvents Object!
[03/30/2008, 11:40:30] - BHO 6: {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - No filename found. Continuing.
[03/30/2008, 11:40:30] - BHO 7: {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - No filename found. Continuing.
[03/30/2008, 11:40:30] - BHO 8: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - No filename found. Continuing.
[03/30/2008, 11:40:30] - Finished Searching Browser Helper Objects
[03/30/2008, 11:40:30] - *** Detected MSEvents Object
[03/30/2008, 11:40:30] - Trying to remove MSEvents Object...
[03/30/2008, 11:40:31] - Terminating Process: IEXPLORE.EXE
[03/30/2008, 11:40:32] - Terminating Process: RUNDLL32.EXE
[03/30/2008, 11:40:34] - Disabling Automatic Shell Restart
[03/30/2008, 11:40:34] - Terminating Process: EXPLORER.EXE
[03/30/2008, 11:40:35] - Suspending the NT Session Manager System Service
[03/30/2008, 11:40:35] - Terminating Windows NT Logon/Logoff Manager
[03/30/2008, 11:40:35] - Re-enabling Automatic Shell Restart
[03/30/2008, 11:40:35] - File to disable: C:\WINDOWS\system32\byXQGyxw.dll
[03/30/2008, 11:40:35] - Renaming C:\WINDOWS\system32\byXQGyxw.dll -> C:\WINDOWS\system32\byXQGyxw.dll.vir
[03/30/2008, 11:40:36] - File successfully renamed!
[03/30/2008, 11:40:36] - Removing HKLM\...\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
[03/30/2008, 11:40:36] - Removing HKCR\CLSID\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
[03/30/2008, 11:40:37] - Adding Kill Bit for ActiveX for GUID: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
[03/30/2008, 11:40:37] - Deleting ATLEvents/MSEvents Registry entries
[03/30/2008, 11:40:37] - Removing HKLM\...\Winlogon\Notify\byXQGyxw
[03/30/2008, 11:40:37] - Searching for Browser Helper Objects:
[03/30/2008, 11:40:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/30/2008, 11:40:37] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/30/2008, 11:40:37] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
[03/30/2008, 11:40:37] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
[03/30/2008, 11:40:37] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/30/2008, 11:40:37] - BHO 5: {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - No filename found. Continuing.
[03/30/2008, 11:40:37] - BHO 6: {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - No filename found. Continuing.
[03/30/2008, 11:40:37] - BHO 7: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - No filename found. Continuing.
[03/30/2008, 11:40:37] - Finished Searching Browser Helper Objects
[03/30/2008, 11:40:37] - Finishing up...
[03/30/2008, 11:40:37] - A restart is needed.
[03/30/2008, 11:40:48] - Attempting to Restart via STOP error (Blue Screen!)
I can't attach it so I will paste it:
[03/30/2008, 11:40:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[03/30/2008, 11:40:30] - Detected System Information:
[03/30/2008, 11:40:30] - Windows Version: 5.1.2600, Service Pack 2
[03/30/2008, 11:40:30] - Current Username: Owner (Admin)
[03/30/2008, 11:40:30] - Windows is in NORMAL mode.
[03/30/2008, 11:40:30] - Searching for Browser Helper Objects:
[03/30/2008, 11:40:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/30/2008, 11:40:30] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/30/2008, 11:40:30] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
[03/30/2008, 11:40:30] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
[03/30/2008, 11:40:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/30/2008, 11:40:30] - BHO 5: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\byXQGyxw
[03/30/2008, 11:40:30] - Found: HKLM\...\Winlogon\Notify\byXQGyxw - This is probably Virtumundo.
[03/30/2008, 11:40:30] - Assigning {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} MSEvents Object
[03/30/2008, 11:40:30] - BHO list has been changed! Starting over...
[03/30/2008, 11:40:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/30/2008, 11:40:30] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/30/2008, 11:40:30] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
[03/30/2008, 11:40:30] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
[03/30/2008, 11:40:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/30/2008, 11:40:30] - BHO 5: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} (MSEvents Object)
[03/30/2008, 11:40:30] - ALERT: Found MSEvents Object!
[03/30/2008, 11:40:30] - BHO 6: {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - No filename found. Continuing.
[03/30/2008, 11:40:30] - BHO 7: {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - No filename found. Continuing.
[03/30/2008, 11:40:30] - BHO 8: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} ()
[03/30/2008, 11:40:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:30] - No filename found. Continuing.
[03/30/2008, 11:40:30] - Finished Searching Browser Helper Objects
[03/30/2008, 11:40:30] - *** Detected MSEvents Object
[03/30/2008, 11:40:30] - Trying to remove MSEvents Object...
[03/30/2008, 11:40:31] - Terminating Process: IEXPLORE.EXE
[03/30/2008, 11:40:32] - Terminating Process: RUNDLL32.EXE
[03/30/2008, 11:40:34] - Disabling Automatic Shell Restart
[03/30/2008, 11:40:34] - Terminating Process: EXPLORER.EXE
[03/30/2008, 11:40:35] - Suspending the NT Session Manager System Service
[03/30/2008, 11:40:35] - Terminating Windows NT Logon/Logoff Manager
[03/30/2008, 11:40:35] - Re-enabling Automatic Shell Restart
[03/30/2008, 11:40:35] - File to disable: C:\WINDOWS\system32\byXQGyxw.dll
[03/30/2008, 11:40:35] - Renaming C:\WINDOWS\system32\byXQGyxw.dll -> C:\WINDOWS\system32\byXQGyxw.dll.vir
[03/30/2008, 11:40:36] - File successfully renamed!
[03/30/2008, 11:40:36] - Removing HKLM\...\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
[03/30/2008, 11:40:36] - Removing HKCR\CLSID\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
[03/30/2008, 11:40:37] - Adding Kill Bit for ActiveX for GUID: {94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
[03/30/2008, 11:40:37] - Deleting ATLEvents/MSEvents Registry entries
[03/30/2008, 11:40:37] - Removing HKLM\...\Winlogon\Notify\byXQGyxw
[03/30/2008, 11:40:37] - Searching for Browser Helper Objects:
[03/30/2008, 11:40:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/30/2008, 11:40:37] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/30/2008, 11:40:37] - BHO 3: {59CB153F-EF27-4E1D-8F5D-ED6E369A1B4A} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - Checking for HKLM\...\Winlogon\Notify\opnkiGWM
[03/30/2008, 11:40:37] - Key not found: HKLM\...\Winlogon\Notify\opnkiGWM, continuing.
[03/30/2008, 11:40:37] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/30/2008, 11:40:37] - BHO 5: {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - No filename found. Continuing.
[03/30/2008, 11:40:37] - BHO 6: {E170B2B1-BE90-4D5F-918E-C49EE5D7758E} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - No filename found. Continuing.
[03/30/2008, 11:40:37] - BHO 7: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} ()
[03/30/2008, 11:40:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 11:40:37] - No filename found. Continuing.
[03/30/2008, 11:40:37] - Finished Searching Browser Helper Objects
[03/30/2008, 11:40:37] - Finishing up...
[03/30/2008, 11:40:37] - A restart is needed.
[03/30/2008, 11:40:48] - Attempting to Restart via STOP error (Blue Screen!)
jetpilot12
Posts: 11 +0
Alright here is the log after the anti-malware scan and removal was completed as well as the vundofix.
iwantacookie
Posts: 6 +0
made a new thread
kritius
Posts: 2,077 +0
Ok then, that worked well,
Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
Fix entries using HiJackThis
P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Ares
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
Also available here.
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
If you wish to keep them, please do not use them until your computer is cleaned.
I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.
Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
Fix entries using HiJackThis
- Launch HiJackThis
- Click the Do a system scan only button
- Put a check next to the entries listed below
- IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
- Click the Fix checked button and close HiJackThis
- Reboot HijackThis if necessary
P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Ares
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
Also available here.
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
If you wish to keep them, please do not use them until your computer is cleaned.
I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.
Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
o Extended (If available, otherwise use standard)
o Scan Options:
o Scan Archives
o Scan Mail Bases - Click OK
- Under select a target to scan, select My Computer
- The scan will take a while so be patient and let it run.
- Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
- Click the Save Report As... button (see red arrow below)
- In the Save as... prompt, select Desktop
- In the File name box, name the file
- In the Save as type prompt, select Text file (see below)
- attach the report in your next post.
- Status
Similar threads
Latest posts
-
Apple Vision Pro is facing declining interest and sales among consumers- Zsoltblabla replied
-
Bending metal: The changing server business- Arbie replied
-
Ryzen 7 5800X3D vs. Ryzen 7 7800X3D, Ryzen 9 7900X3D and 7950X3D- Q Wales replied
