Should i delete gyreo83122.exe file?

Thanks to IE I got infected with Trojandownloader.xs virus. Thanks to your site and going through the steps in READ & RUN ME FIRST. Malware Removal Guide I think a got trojan about whip. ( use ccleaner, combofix.exe, SpyBot - Search & Destroy, Ad-Aware, Avast and MGtools.exe )

But did see something when I scan through the newfiles.txt. I saw this text posted below, this folder was created same time I got trojan. I use Windows Explorer to check out this folder and I found this file gyreo83122.exe.

Locating new folders created in C:\WINDOWS\system32 within the last 120 days.

"C:\WINDOWS\system32\"
MR9 Jan 1 2008 "mr9"

1 item found: 0 files, 1 directory.

But newfiles.txt said there no file. Was curious why it did not see this file? I did a Google search, only 4 mentions of the file. One link said file is Zquest.G trojan. So I'm thinking I should delete this file.

Is this is a trojan\virus, is it pretty new since none of the programs I ran today to clean up my computer did anything with this file?

I attach my log files if you guys want to take a look at them. Thanks again for your guys HELP! Much appreciated!

 

Hi Onion_Gulch!
Welcome to Major Geeks!

The reason Trojans are tricky is because you either can't delete the files or they simply make new ones when you delete them. Please let us look at your logs and see what needs to be done. This can take some time, so thanks for being patient. You have a bad new variant of Vundo. Please do not use your computer or boot unnecessarily. This will make things worse.

abri

 

Hi Onion Gulch!

In order for things to work properly, it's necessary to disable Spybot's TeaTimer and to put your computer into normal system start rather than selective startup (as described in the READ & RUN ME). I will give you instructions for each of these and then post a scan I want you to run.

NOTE: The following 3 steps require a reboot. Do NOT REBOOT until you do ALL THREE!!


1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.1_02
- Java(TM) SE Runtime Environment 6


3) After disabling TeaTimer, please click on Start/Run, type in msconfig and check the box that says Normal System Start.

4) Now Reboot after completing all of the above steps.


5) Once you've booted back up continue by installing the current version of Sun Java from: Sun Java Runtime Environment


6) After you've completed the above, please continue with the following scan. This scan may take several steps.

• Download and save to RenV.exe from following link to Desktop (must be on the Desktop)
• Doubleclick RenV.exe
  • When finished, it will produce a new log named Log.txt on the Desktop.
  • Attach this log to your next reply.
  As soon as you complete the above and have attached the requested log, please continue with the instructions below the line:
  
  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
  7) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes. Please let me know if you get a success message!
  
  8) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
  
  O2 - BHO: (no name) - {38311C02-7FF0-4A6F-9CD9-6200A6A3104A} - (no file)
  O2 - BHO: (no name) - {38F0EDA1-4344-4DBB-AD42-E469B638E898} - (no file)
  O2 - BHO: (no name) - {8C1A2249-63DA-42E9-826A-FD21C0672E6B} - C:\WINDOWS\system32\pmkji.dll
  O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Zboard Software\Driver\ZboardTray.exe" /autolaunch
  
  
  After you click fix, just close hijackthis.
  
  9) Now download The Avenger by Swandog46, and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-clicking on it.
  • Check the 'Input script manually' box.
  • Click on the magnifying glass icon.
  • Copy everything in the Quote box below, and paste it in the box that opens:
  • Now click the 'Done' button.
  • Click on the traffic light icon and OK the prompt.
  • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt
  10) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.
  
  NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main ATF Cleaner menu to close the program.
  
  
  11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.
  
  
  There are a couple of things left to do, depending on which files are found. Let me know how things went?
  
  abri

 

Ok here log.txt from RenV. On to step 7.

Step 7 sucessful, added lines to registry.

For your information, Zboard is a keyboard I use for Doom III if that helps. KB has extra wide keys for gaming.

 

Running Do a system scan only did not show these two entries:

O2 - BHO: (no name) - {38311C02-7FF0-4A6F-9CD9-6200A6A3104A} - (no file)
O2 - BHO: (no name) - {38F0EDA1-4344-4DBB-AD42-E469B638E898} - (no file)

just the other two.



Also should this file be listed in win.ini file?

F3 - REG:win.ini: load=C:\system32\pmkji.exe

Ok did steps 8-10.

I check after doing MGlogs and gyreo83122.exe still there in mr9 folder.

 

Hi OnionGulch!

Thanks for telling me about your keyboard. Is it working? If not go back to the previous restore point (Start / All Programs / Accessories / System Programs / System Restore) and I will redo that one set of instructions and have you do them over. Otherwise continue as follows:


1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkji.exe
O2 - BHO: (no name) - {0F794B81-FB17-4B58-9916-97EE9AD21002} - C:\WINDOWS\system32\pmkji.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe

After you click fix, just close hijackthis.

3) Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

4) Now run Avenger

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

5) And now run ATF Cleaner
[*]Double-click ATF-Cleaner.exe to run the program.
[*]Under Main choose: Select All
[*]Click the Empty Selected button.
[/list]If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Let me know how this went. There are offset .exe files in some of your programs and it may be necessary remove them, but we don't want to remove the wrong ones. For more information about a similar problem, please refer to the following thread. http://forums.majorgeeks.com/showthread.php?t=146945&highlight=dr2391

abri

 

Don't use Zboard KB on that computer anymore, use it on new computer now.

When I brought my computer out of stand by mode, Avast said " Adware was found "

C:\DOCUME~1\Chuck\LOCALS~1\Temp\qraywctb.exe

Win32:Agent-PCJ [Adw]

Adware

080103-0, 01/03/2008

I let Avast put file in the chest.


After running Do a system scan only couple of new ones showed up:

O2 - BHO: {a5b6be70-d944-b97b-9d64-ac9125160656} - {65606152-19ca-46d9-b79b-449d07eb6b5a} - C:\WINDOWS\system32\kxyfguij.dll

O4 - HKLM\..\Run: [bc2fa6a4] rundll32.exe "C:\WINDOWS\system32\fkvofjkq.dll",b


I check the 4 you listed and also check the kxyfguij.dll. I hope that was OK.

When I click on Fix button Avast came up with a torjan warning:

C:\MGtools\backups\backup-20080104-130056-170.dll

Win32:TratBHO [Trj]

Trojan Horse

080104-0, 01/04/2008

I told Avast to take no action since HijackThis was doing it fix. After Avast window close, HijackThis OK window came up and I said OK for fix. But I'm curious, when ran fix yesterday, HijackThis did not trigger a trojan error.


Just to let you know, I did not install this program:

O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" -start

SpyGuardPro got added when trojan kick in New Years.


Looking through newfiles.txt, saw this new file listed: qkjfovkf.ini, So I open file and made a copy of what was listed. Don't now if this will help.

-âpRÓ z 8 ² ² ² Ò Ò Ò Ò Ò Ò Ò  é

Thx again for all your help in this!

 

Hi Onion Gulch,

Please be patient with this process as it's tricky. Opening an unknown file can cause it to execute, so please don't open anything you don't recognize. Also, you don't seem to have any Windows Updates. This is not the right moment to download updates, but I wondered why you don't have them?


1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkji.exe
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" -start
O4 - HKLM\..\Run: [bc2fa6a4] rundll32.exe "C:\WINDOWS\system32\fkvofjkq.dll",b

After you click fix, just close hijackthis.

2) Now run Avenger

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please run ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


abri

 

Hear bad stories of window updates and hotfixes fixing one problem but causing a new one, so I wait for a service pack to be release before doing updates.

Today no warning from Avast when loging back into XP after coming out of standby mode.

After running Do a system scan only,

O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe

show up again. I left it alone and click the 3 you listed and click Fix.

 

I recommend you abandon this strategy. Yes, in a very few instances, it's better not to have a seatbelt on when you get in a car wreck, but statistically your odds are much better with one. The updates each address a vulnerability or a bug in the operating system and other software. What I recommend to you, is that as soon as your system is completely clean and you have set a clean restore point as you will be requested to do in the final clean-up instructions, that afterwards you download and install all the updates. If you do them manually, you can do part of them. For instance you can start with all the security updates. Then if you find that you have problems, you can return to the restore point where you know your computer is working and they will all be gone again. I do this regularly myself - set a new restore point before I install Windows updates. If you choose to do them manually, you can read in detail about each one and you can also install them one at at time. In the descriptions it tells you if there are any known issues and in what conditions they might occur. Your computer is VERY vulnerable without them.

And now to continue:

So far we've gotten rid of part of what is ailing your computer. Now I would like for you to do the following:

1) Please go to the READ & RUN ME FIRST and download and install Combofix. Install it exactly according to the instructions and allow it to install over the previous version. Then run it again and when you finish up everything here, attach the log with the other logs I'll be requesting.

2) Please run analyse.exe in the MGTools folder and fix the troy44 file. Remember to close your browser windows before you hit Fix.

3) Now run Avenger

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

4) And now run ATF Cleaner
[*]Double-click ATF-Cleaner.exe to run the program.
[*]Under Main choose: Select All
[*]Click the Empty Selected button.
[/list]If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log and the log from Combofix.

Thanks.
abri

 

After running Do a system scan only did not see anything new popup. I click O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe and then click Fix.

 

Hi onion gulch!

It's looking better. There are still two Windows files which have been affected by the virus. Not related, but while I'm thinking of it, please go to your guest account and diable it.

Next I would like for you to download and reinstall RenV over the previous version and run the scan below. Attach it here when you're finished.

• Download and save to RenV.exe to your Desktop (must be on the Desktop)
• Doubleclick RenV.exe
  • When finished, it will produce a new log named Log.txt on the Desktop.
  • Attach this log to your next reply.

abri

 

I check Guest account and it was set to OFF, is this what you mean by disabling Guest account or do you want me to do something more?

 

Hi Onion Gulch!

Please copy the contents of the box into Notepad and store the file on the Desktop as Log.txt It must be on the Desktop!

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
• Run ComboFix
• Run C:\MGtools\GetLogs.bat by double clicking on it.
• Attach the below new logs:
  • Log.txt
  • C:\ComboFix.txt
  • C:\MGlogs.zip

abri

 

Here you go.

 

Hi Onion Gulch!

I don't see any more malware. If you're not having further malware symptoms, please do the following:

abri

 

Thank you very, very, very, very much for your great help!!!!

Where is the donate button?

 

Glad things are working better now!
We don't have a donate button, so just add a few smiles to the world.
Enjoy your computer.
abri