TechSpot

B.Exe and Vundo problems

By thebogusman
Dec 8, 2006
  1. Have tried everything I know to get rid of this but with no success at all.

    When the computer is switched on,and one logs on, a dialogue box appears on the desktop to say that "b.exe has experienced a problem and needs to close down". I have deleted b.exe a thousand times, but it regenerates itself constantly.

    Almost immediately, my anti-virus software kicks in telling me I have numerous instances of trojan vundo on my PC. It tells me it has deleted them, but the re-appear over couple of minutes, causing internet explorer to shut down.

    When I am online, my browser is hijacked by numerous ads ... mainly for anti virus software!

    Am at my wits end, and any help greatly appreciated. HiJack this log attached
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :)


    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. thebogusman

    thebogusman TS Rookie Topic Starter

    Have done everything requested and attach the relevant hijack log.

    With reference to the AVG report, what would you like me to do. It is too big to upload (500kb+) and too long to paste in here (229,000 + characters)?

    Thanks for your assistance, by the way
     

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please rename HijackThis.exe to HijackThis1991.exe as per the instructions and post a fresh HJT log.

    As for the AVG Antispyware log, Delete all files in AVG Antispyware quarantine, then run the Ccleaner programme as per the instructions.

    Do a fresh scan with AVG Antispyware and see if you can attach the new log file.

    Regards Howard :)

    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. thebogusman

    thebogusman TS Rookie Topic Starter

    Yes ... had actually followed the instructions. HijackThis was already called HijackThis1991 when I downloaded it. Had run CCleaner.

    However, did everything again. AVG anti-spyware file still too big to upload and too long to cut and paste. I have 1051 infected objects, although the biggest threat seems to be Backdoor.IRCbot.qc. Every other threat is a tracking cookie.

    THe Backdoor thing seems to have put thousands of files into the section of "My Documents" labelled "My Music" - they are all invisible

    HiJackThis log attached
     
  6. Rik

    Rik Banned Posts: 3,814

    Howard means that hijackthis.exe must be renamed hijackthis1991.exe!!

    I just had a look at your last hjt log and saw this line - "C:\Downloads\Hijack This\HijackThis.exe" which means you didn't change it!!



    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    This is from your HJT log above.

    C:\Downloads\Hijack This\HijackThis.exe

    As you can see, HijackThis.exe hasn`t been renamed to HijackThis1991.exe.

    It is very important that this is done, as some malware can hide from HijackThis.exe.

    The best thing to doo with your AVG log is to copy and paste half of it into a new .txt document, then do the same for the rest of the AVG log. You should then be able to attach both .txt files.

    Regards Howard :)

    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how HERE.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {5E59E430-D8DB-4064-B1A7-0BC5B0CF7470} - C:\WINDOWS\system32\ssqpo.dll

    O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin1.dll (file missing)

    O2 - BHO: (no name) - {CE6C09A1-C878-410B-9168-A99D2ECDC972} - C:\WINDOWS\system32\ssqpo.dll

    O11 - Options group: [INTERNATIONAL] International*

    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab

    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{AF090EB7-5BA4-4B2E-A6ED-05389DCAE5A2}: NameServer = 212.139.132.41 212.139.132.42<Only fix this if it doesn`t belong to your ISP.

    O20 - Winlogon Notify: ssqpo - C:\WINDOWS\system32\ssqpo.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\system32\ssqpo.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. thebogusman

    thebogusman TS Rookie Topic Starter

    Can you explain how to rename the Hijackthis file. It is displayed on my computer as HiJackthis1991
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s ok, your third HJT log is named correctly. It was your second HJT log I was referring to. You hadn`t posted the third HJT log, when I replied lol.

    Just follow the instructions in my post above.

    Regards Howard :)

    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. thebogusman

    thebogusman TS Rookie Topic Starter

    Thanks for all your help with this.

    Have followed your instructions, but the only thing that has changed is that the warning messages about the b.exe file is not now loading when I log on.

    Am still plagued by Trojan: Vundo and still getting browser windows opening up. My anti-virus software (symantec) says it has detected Vundo and has deleted it, but it is telling me this about ever couple of minutes.

    Latest HJT log attached
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\WINDOWS\system32\ssqpo.dll

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. thebogusman

    thebogusman TS Rookie Topic Starter

    Tried all that ... still no joy

    Vundofix says it cannot delete C:\WINDOWS\sytem32\ssqpo.dll

    Still have new browser windows opening all over the show - what really bugs me is that most o them are for anti-virus and anti-trojan software

    Have attached latest HJT log
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please download VundoFix.exe to your desktop. This is not the same version of Vundofix you used before.
    http://www.atribune.org/downloads/VundoFix.exe
    Double-click VundoFix.exe to extract the files
    This will create a VundoFix folder on your desktop.
    After the files are extracted, please restart your computer into Safe Mode.

    Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    A command window will open and it should look like this:

    VundoFix V2.15 by Atri
    By pressing enter you agree that you are using this at your own risk

    At this point press enter one time.
    Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, to continue with the fix.

    At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\system32\ssqpo.dll

    Press Enter.
    Next you will see:

    Please type in the second filepath as instructed by the forum staff
    At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\system32\opqss.*
    Press Enter to continue.
    The fix will run then HijackThis will open.
    In HijackThis, please place a check next to the following items and click FIX CHECKED:
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {18F48D52-12AF-41C1-B3A4-385D0FC44DFF} - C:\WINDOWS\system32\ssqpo.dll
    O20 - Winlogon Notify: ssqpo - C:\WINDOWS\system32\ssqpo.dll

    After you have fixed these items, close Hijackthis.
    The fix will tell you to shutdown using the Power button. Hold in your power button until the computer shuts down. Wait about 15 seconds and then restart the computer into regular windows.
    Chkdsk will run. This is normal. It will take a few minutes and is checking your file system because of the Bad Shutdown we caused.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. thebogusman

    thebogusman TS Rookie Topic Starter

    I'm holding my breath but .... it seems to have worked!

    A slight hiccough in that the fix could not find HiJack This and I was unable to manually locate it. I had no option but to reboot the PC. However, I ran it immediately and the three items you said would be there were there, so I fixed them

    Have attached the log.

    Thank you so very much. If you even need the services of a motoring lawyer, send me an email
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of thebogusman only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...