Help, my computer is infested

Apparently there is a virus on my computer that I can't seem to get rid of. I can find it in the processes, it's called vyvwyu.exe, and there's another called kykyhg.exe. I know that the file is located in the the prefatch folder, but when I try and delete the file it returns, I've also tried to run a selective startup making sure to not run the program, yet it still seems to startup. The wonderful virus is downloading other viruses and random programs onto my computer and I'm starting to have trouble keeping up with it...any help would be much appreciated.

 

First:

Download Windows XP Prefetch Clean And Control

Run this to flush out your Prefecth folder.

Second:

Please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal


After doing ALL of the above if you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

hey, sorry, I was in such a rush to post and get this fixed I didn't read the sticky's, I was actually running through them when I got your reply...that may have helped...we shall see

 

No Biggie! Just be sure you do as much as possible so we can make sure we get it all!

Good Luck!

Will be awaiting a response on how everything goes.

 

Ok, 2 problems,
1. I can't connect to the online scans because of my school firewall..
2. for some reason attachments is not working for me in the forum so I can't attatch the hijack this file.

 

Copy and paste the log inline and I will have it converted into an attachment.

 

Edit by chaslang: Inline log changed to attachment

 

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


Post a new log after doing this and closing ALL browsers.

 

I have done all of those steps excluding the one I can't do...sending it as an attatchment. As I told you before, my browser is not letting me attatch files, I tried to and you told me to send it as a text and you would convert. Sorry, but the school network here is crap.

 

Perr

The big change he wants you to do is get HJT into a correct folder.
C:\DOCUME~1\MATTSM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
This shows you are running it from a temp folder. Just follow BJ's steps for extracting to the correct place. By giving him another log, inline if that is the only way you can, he can make sure you have HJT in a proper place. Actually if your log hasn't changed you could just copy the line that shows where HJT is in your running processes of your HJT log, to confirm proper placement.

 

Edit by chaslang: Inline log attached

 

ok, I did all 4 steps. here's the logs.

 

and the 3rd

 

WOW! tons of baddies!

Chas, you going to take this one my friend?

 

Sorry it's taken me so long to reply...my computer restarted itself and then wouldn't start up correctly. I had to go in and found that it was most likely a loose connection to the hard drive that made it not start..and may have caused the restart...is the restart a problem..I'm gonna run through the steps anyway.

 

here are he first 2 logs

 

Those scans are done..figured I'd send the first batch as soon as it was done..here's the stuff for #20
The troj scan didn't find anything. Bit defender is not working for some reason. It won't update...perhaps a problem with my firewall.
I copied the info from the rav into a text and the hjt txt is here as well.

 

everything seems to be working fine, a couple of the files you wanted me to delete weren't there, but I got rid of everything I could find.
I'm getting an error trying to upload the hjt log but I'll keep trying it.
Thanks alot.

 

Get me a current HJT log with another Generic Detection Log.

If you cant attach it paste it inline and I will have it converted.

 

after giving it some time, I'm still getting redirected to sites allthe time...the computer is running alot smoother though

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see any it, try to END it:

Rsbgub.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thinkexist.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.enc.edu

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {19F869D9-B2A0-4B19-0B86-2FEF1867D1B0} - (no file)
O2 - BHO: (no name) - {CBC3C5AF-D7CA-964F-7756-846B27993CED} - (no file)
O2 - BHO: (no name) - {FD8AB6C2-2292-8C12-56AF-FB729D561146} - (no file)

O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rsbgub.exe

O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} (Wavexpress Cab Helper) - http://client2.tvtonic.com/Webservice/Public/WXStageInstall/2.6/TVTStage1.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\Rsbgub.exe

NEXT:
Run CCleaner

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After doing the above steps, scan with HJT and attach the new log. Also attach one more log from the Generic Detection log just to be sure.

 

Damn! Thanks Chas! About those other, I just like everything to be default. (sorry)

 

Alright, here's the latest hjt log

 

oops forgot generic det. tool

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

NOW:
Click Start > Run > type services.msc and Click OK

Locate byyzxmgjbwfo (vkvfplvs5) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {19F869D9-B2A0-4B19-0B86-2FEF1867D1B0} - (no file)
O2 - BHO: (no name) - {CBC3C5AF-D7CA-964F-7756-846B27993CED} - (no file)
O2 - BHO: (no name) - {FD8AB6C2-2292-8C12-56AF-FB729D561146} - (no file)

O23 - Service: byyzxmgjbwfo (vkvfplvs5) - Unknown owner - C:\WINDOWS\System32\klgkydbn5.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Download and Run CWShredder 2.14
*Click FIX instead of scan*

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\services ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\system32.dll

C:\WINDOWS\System32\msxslab.dll

C:\WINDOWS\System32\jac.dll

C:\WINDOWS\System32\d2kpax.dll

C:\WINDOWS\System32\d2kpax.exe

C:\WINDOWS\System32\n?pdb.exe

NOW:
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log along with one last Generic Detection Log.

 

sorry the reply took so long...been really busy

 

sorry for the time, I haven't used my computer much since the 6th...haven't even had a lot of time to sleep.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thinkexist.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.trustyhound.com/sidebar-search.php

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.enc.edu
(If you know this entry, leave it as is!)

O2 - BHO: (no name) - {19F869D9-B2A0-4B19-0B86-2FEF1867D1B0} - (no file)
O2 - BHO: (no name) - {CBC3C5AF-D7CA-964F-7756-846B27993CED} - (no file)
O2 - BHO: (no name) - {FD8AB6C2-2292-8C12-56AF-FB729D561146} - (no file)

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf.com/fun/installer/Install.cab

O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Locate PocketKillbox

Now, Copy and Paste CC:\WINDOWS\System32\msxslab.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\jac.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\d2kpax.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\system32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\d2kpax.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\n?pdb.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\services into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Reboot into Safe Mode

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!