TechSpot

I need help! cyberlog x has been on my computer all weekend!

By carlos_e927
Mar 9, 2008
Topic Status:
Not open for further replies.
  1. here are my logs. please help asap! :(
  2. kritius

    kritius TS Guru Posts: 2,087

    Hi carlos_e927,

    Please Downlaod

    • SmitFraudFix
    • FixVH.reg right click on the link and then select Save Link As or Save File depending on your browser. Confirm that the file FixVH.reg now resides on your desktop as we will need it later.
    • Click on the Start button and then select the Run option.
    • In the Open: field type c:\windows\system32 and then press the OK button.
    • When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.
    • We now need to make it so you can see hidden files.

      1. Click on the Tools menu and select Folder Options.
      2. Click on the View tab.
      3. Under the Hidden files and folders category select Show hidden files and folders.
      4. Uncheck Hide protected operating system files.
      5. Press Apply and then OK.
      6. If you still can not see the file, then undo these changes and skip to step 11.

    • Scroll through the list of files in this folder and,
    look for iinqyl.dll. Right-click on iinqyl.dll and select rename. Rename the file to iinqyl.dll.bad.

    Look for the file wuuawkz.dll and rename the file to wuuawkz.dll.bad

    Look for the file eeioq.dll and rename the file to eeioq.dll.bad

    Look for the file txdkfh.dll and rename the file to txdkfh.dll.bad

    Look for the file wbchha.dll and rename the file to wbchha.dll.bad

    Look for the file heuvth.dll and rename the file to heuvth.dll.bad

    Look for the file xskmoqx.dll and rename the file to xskmoqx.dll.bad

    Look for the file lruvqvw.dll and rename the file to lruvqvw.dll.bad

    let me know which ones you find.

    Next, please reboot your computer into Safe Mode
    When your computer has started in safe mode and you see the desktop, click on the Start Menu button.

    Click on the Control Panel option.

    Double-click on the Add or Remove Programs icon.

    Find the entries for VirusHeat 3.9 or VirusHeat 4.3 and double-click on them to uninstall if found. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.

    When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.
    Delete the following files and folders (Do not be concerned if a folder does not exist):

    C:\Windows\System32\iinqyl.dll.bad
    C:\Windows\System32\wuuawkz.dll.bad
    C:\Windows\System32\eeioq.dll.bad
    C:\Windows\System32\txdkfh.dll.bad
    C:\Windows\System32\wbchha.dll.bad
    C:\Windows\System32\heuvth.dll.bad
    C:\Windows\System32\lruvqvw.dll.bad
    C:\Windows\System32\xskmoqx.dll.bad
    C:\Program Files\VirusHeat 3.9\

    Close all open Windows.
    Now, double-click on the SmitFraudfix icon

    When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

    When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

    Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

    The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program.

    This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically.

    When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.

    let me know how this goes.
  3. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    thanks! so far, i didn't find any of the files in the System32 folder. i am going to now restart the computer and run it in Safe Mode.
  4. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    i ran the scan and this is the log file that came up. i do no know if this is any use to y ou.
  5. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    here is the log. i deleted the host because it would not let me upload the file that big.
  6. kritius

    kritius TS Guru Posts: 2,087

    Ok then,

    You may want to print this or save it notepad to your desktop so you will have it while in safe mode.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O2 - BHO: e404mgr Class - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - C:\Program Files\Helper\1204882063.dll (file missing)
    O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
    O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
    O2 - BHO: e404mgr Class - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - C:\Program Files\Helper\1204882063.dll (file missing)
    O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
    O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
    O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - C:\WINDOWS\system32\lruvqvw.dll (file missing)

    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files(if found)
    C:\WINDOWS\system32\lruvqvw.dll

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
  7. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    here is the log. i was only able to find 3 from the hjt list.

    and i was not able to find the lruvqvw.dll file in the system32 folder.
  8. kritius

    kritius TS Guru Posts: 2,087

    Ok then, just a few more to clean up,
    Boot into safe mode again,
    open HJT and do a system scan only,
    close all browser windows except HJT and put a check against the following items,
    O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
    O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
    O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)


    Boot back into normal mode,

    I would also consider getting rid of Party Poker and the yahoo toolbar.

    Run another HJT log and post back with the results.
  9. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    i don't know how i got that yahoo tool bar. but im getting rid of it as well as the party poker.
  10. kritius

    kritius TS Guru Posts: 2,087

    Boot into safe mode again,
    Show all hidden files and folders,
    Do a search for yahoo toolbar and party poker and delete whatever you find just to ensure that they are all gone.
    open HJT and do a system scan only,
    close all browser windows except HJT and put a check against the following items,
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
    O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
    O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    Boot back into normal mode,

    Rehide all the hidden files.

    Download the Ccleaner programme if you dont already have it,

    Close all browsers. Run the programme and make sure all the boxes are ticked, including "advanced" box under the Windows tab(except for the Old prefetch Data option, this should be unticked) and Applications tabs and click the run cleaner button. Do this several times.

    Then do the same with the registry option.

    Hopefully its nearly done. How are things running now?

    Run another HJT log and post back with the results.
  11. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    things are running better. no more pop ups. but sometimes when i start the computer, a spybot window comes up asking me if i want to allow some changes or deny.
     
  12. kritius

    kritius TS Guru Posts: 2,087

    ok then,

    Boot into safe mode and open HJT have it do a system scan only,
    Put a check next to these entries and select fix checked,

    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
    O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
    O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    Boot back into normal mode,

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    --------------------------------------------------------------------------------------------------------

    get a firewall, either,
    Comodo
    Kerio
    Online Armor
    Zonealarm

    ----------------------------------------------------------------------------------------------------------

    Run HJT again and post a fresh log, the last one was looking a lot better

    What was Spybot asking you again?
  13. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    this is what it would ask me:


    Category: Global Browser Toolbar
    CHange: Value deleted
    Entry: {EF99BD32-C1FB11D2-892F-0090271D4F88
    Old data: hex:00

    Allow Change or Deny Change
  14. kritius

    kritius TS Guru Posts: 2,087

    That may have been the Yahoo or Google toolbar.

    Boot into safe mode and show all hidden files and folders and do a search for anything to do with the Yahoo! toolbar, delete whatever you find

    Have HJT fix these entries again.
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
    O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
    O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    Boot into normal mode and rehide your hidden files and then post another log.

    How are we in regards to the original problem?
  15. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    it has gotten a lot better. no more pop ups. nothing else is coming up as detected.
  16. kritius

    kritius TS Guru Posts: 2,087

    Run HJT and have it fix these entries again, this time from normal mode,
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
    O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
    O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    post a new log.

    Id like to get rid of them before we can say its a success.

    After you do that can you run combofix and post a log, id like to have someone look at it for me.
  17. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    thanks so much for all this. i really appreciate it.
  18. kritius

    kritius TS Guru Posts: 2,087

    Just one to delete this time, you can do it from normal mode.
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file),

    Ill get back to you about the combofix log.

    Your very welcome about the help, its what we volunteer our time for.
  19. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    the past 2 days i noticed my internet has been running rather slow. i don't know if anything else is having an effect on it? besides me not having that great of a wireless modem, i was getting disconnected a lot more than usual.
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    @kritius -> teatimer is active and running
  21. kritius

    kritius TS Guru Posts: 2,087

    @ Blind. Dang! Never noticed that, did you get a chance to look at the Combo log? Cheers.

    @ carlos_e927 Disable the resident protection on spybot by going to the advanced options and turning it off, then rescan with ComboFix and HJT.
  22. carlos_e927

    carlos_e927 TS Rookie Topic Starter Posts: 25

    there we go. running a lot better.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.