B.Exe and Vundo problems

Status
Not open for further replies.

thebogusman

Posts: 7   +0
Have tried everything I know to get rid of this but with no success at all.

When the computer is switched on,and one logs on, a dialogue box appears on the desktop to say that "b.exe has experienced a problem and needs to close down". I have deleted b.exe a thousand times, but it regenerates itself constantly.

Almost immediately, my anti-virus software kicks in telling me I have numerous instances of trojan vundo on my PC. It tells me it has deleted them, but the re-appear over couple of minutes, causing internet explorer to shut down.

When I am online, my browser is hijacked by numerous ads ... mainly for anti virus software!

Am at my wits end, and any help greatly appreciated. HiJack this log attached
 
Have done everything requested and attach the relevant hijack log.

With reference to the AVG report, what would you like me to do. It is too big to upload (500kb+) and too long to paste in here (229,000 + characters)?

Thanks for your assistance, by the way
 

Attachments

  • 061208 - hijackthis.txt
    9.4 KB · Views: 5
Please rename HijackThis.exe to HijackThis1991.exe as per the instructions and post a fresh HJT log.

As for the AVG Antispyware log, Delete all files in AVG Antispyware quarantine, then run the Ccleaner programme as per the instructions.

Do a fresh scan with AVG Antispyware and see if you can attach the new log file.

Regards Howard :)

This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Yes ... had actually followed the instructions. HijackThis was already called HijackThis1991 when I downloaded it. Had run CCleaner.

However, did everything again. AVG anti-spyware file still too big to upload and too long to cut and paste. I have 1051 infected objects, although the biggest threat seems to be Backdoor.IRCbot.qc. Every other threat is a tracking cookie.

THe Backdoor thing seems to have put thousands of files into the section of "My Documents" labelled "My Music" - they are all invisible

HiJackThis log attached
 
Howard means that hijackthis.exe must be renamed hijackthis1991.exe!!

I just had a look at your last hjt log and saw this line - "C:\Downloads\Hijack This\HijackThis.exe" which means you didn't change it!!



This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
This is from your HJT log above.

C:\Downloads\Hijack This\HijackThis.exe

As you can see, HijackThis.exe hasn`t been renamed to HijackThis1991.exe.

It is very important that this is done, as some malware can hide from HijackThis.exe.

The best thing to doo with your AVG log is to copy and paste half of it into a new .txt document, then do the same for the rest of the AVG log. You should then be able to attach both .txt files.

Regards Howard :)

This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how HERE.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {5E59E430-D8DB-4064-B1A7-0BC5B0CF7470} - C:\WINDOWS\system32\ssqpo.dll

O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin1.dll (file missing)

O2 - BHO: (no name) - {CE6C09A1-C878-410B-9168-A99D2ECDC972} - C:\WINDOWS\system32\ssqpo.dll

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab

O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{AF090EB7-5BA4-4B2E-A6ED-05389DCAE5A2}: NameServer = 212.139.132.41 212.139.132.42<Only fix this if it doesn`t belong to your ISP.

O20 - Winlogon Notify: ssqpo - C:\WINDOWS\system32\ssqpo.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\ssqpo.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
It`s ok, your third HJT log is named correctly. It was your second HJT log I was referring to. You hadn`t posted the third HJT log, when I replied lol.

Just follow the instructions in my post above.

Regards Howard :)

This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks for all your help with this.

Have followed your instructions, but the only thing that has changed is that the warning messages about the b.exe file is not now loading when I log on.

Am still plagued by Trojan: Vundo and still getting browser windows opening up. My anti-virus software (symantec) says it has detected Vundo and has deleted it, but it is telling me this about ever couple of minutes.

Latest HJT log attached
 
Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

This is the filepath you need to enter into Vundofix.

C:\WINDOWS\system32\ssqpo.dll

Post a fresh HJT log after doing the above.

Regards Howard :)

This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Tried all that ... still no joy

Vundofix says it cannot delete C:\WINDOWS\sytem32\ssqpo.dll

Still have new browser windows opening all over the show - what really bugs me is that most o them are for anti-virus and anti-trojan software

Have attached latest HJT log
 
Please download VundoFix.exe to your desktop. This is not the same version of Vundofix you used before.
http://www.atribune.org/downloads/VundoFix.exe
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
A command window will open and it should look like this:

VundoFix V2.15 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.
Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.

At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\ssqpo.dll

Press Enter.
Next you will see:

Please type in the second filepath as instructed by the forum staff
At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\opqss.*
Press Enter to continue.
The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click FIX CHECKED:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {18F48D52-12AF-41C1-B3A4-385D0FC44DFF} - C:\WINDOWS\system32\ssqpo.dll
O20 - Winlogon Notify: ssqpo - C:\WINDOWS\system32\ssqpo.dll

After you have fixed these items, close Hijackthis.
The fix will tell you to shutdown using the Power button. Hold in your power button until the computer shuts down. Wait about 15 seconds and then restart the computer into regular windows.
Chkdsk will run. This is normal. It will take a few minutes and is checking your file system because of the Bad Shutdown we caused.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I'm holding my breath but .... it seems to have worked!

A slight hiccough in that the fix could not find HiJack This and I was unable to manually locate it. I had no option but to reboot the PC. However, I ran it immediately and the three items you said would be there were there, so I fixed them

Have attached the log.

Thank you so very much. If you even need the services of a motoring lawyer, send me an email
 
Well done, your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back