evil "critical system errors" plz help me destroy this f**king adware
i hav gotten a virus (dont know where from i just booted up my pc one day and it was there) it basically causes loads of popups in IE and sits in the taskbar and makes the occassional taskbar popup appear. i will tell u evry thing i hav done to try remove it: googled it and foolowed instructions for removing it (didnt work), used various up to date anti virus and spyware etc, gone through my registry and startup stuff (did not find anything that wasnt there before), i found that the virus is in my system volume information folder so i tried accessing that but it didnt let me in windows so i tried booting in knoppix and deleting from there but it wud not let me. i think that i hav a new version of it as no decent anti spware,virus etc seems to remove it also i cant find the normal .exes and .dlls that accompany it (except the one that wudnt be deleted in the system vol info folder. its annoying me to no end if anyone has any ideas on how to remove it plz help (i mite not hav listed evrything i did to remove it, thats just the stuff i remember off the top of my head)
Try getting process explorer from sysinternals. It should show all processes that are running, and you can usually work out what one is the malware.
If you can't tell from that, get Spybot Search & Destroy and AdAware, update the definitions, and scan with those. The pair of them will usually destroy most malware.
If that won't work, try googling all your running processes, until you find the malware.
koolkeith12345 wrote: i hav gotten a virus (dont know where from i just booted up my pc one day and it was there)
Either downloaded pr0n or a 'hacking' tool.
Also try spacing out posts. People won't be bothered to read it otherwise.
Anyway, if you have a genuine windows OS then you can get AntiSpyware free from Microsoft.com
i hav gotten a virus (dont know where from i just booted up my pc one day and it was there) it basically causes loads of popups in IE and sits in the taskbar and makes the occassional taskbar popup appear. This doesnt mean it is a virus…. The words Virus and Hackers have both been blown out of proportion
i will tell u evry thing i hav done to try remove it: googled it and foolowed instructions for removing it (didnt work), used various up to date anti virus and spyware etc, gone through my registry and startup stuff (did not find anything that wasnt there before), click start–run–msconfig
click on "services" tick the "Hide all microsoft services"
disable what u dont want to……
check the msconfig's "startup" option too….
i found that the virus is in my system volume information folder so i tried accessing that but it didnt let me in windows so i tried booting in knoppix and deleting from there but it wud not let me.
try booting from a bootable DOS floppy/pendrive/CD etc.. then change to the system vol folder and do ur stuff…
if u can some how access windows normally…try safe mode… end task ur explorer..open "cmd" from the task managers "New task" option. try deleting the file….
u wont be able to delete the whole system volume folder as there is always a file named changed.log or something that is used to keep the changes for system restore…
or if possible download a tool named hijackthis….run that tool it will make a log file for the running process , startup items etc etc… post that log file…
it would be better….
Either downloaded pr0n or a 'hacking' tool.
Anyway, if you have a genuine windows OS then you can get AntiSpyware free from Microsoft.com haha no i did not im usually sensible about downloads anyway wots the point of downloading pr0n whenu can just view it online. my os is geniune and i hav tried loadsa reputable tools like ad aware, spybot S and D. i also hav run msconfig but no results. i hav used several tools to view all my tasks and none showed anything out of the ordinary iv booted up in safe mode and stuff but not tried ending explorer and when i booted in knoppix it was from cd. thanx for all the responses i will go through all methods listed i havnt tried and hopefully will get rid of it, if not i will just hav 2 w8 until one of my tools gets the appropriate update
heres my hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 04:02:44, on 28/01/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME1\Keith\LOCALS1\Temp\Rar$EX00.282\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\yyhmwuro.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA1\NEWDOT1\NEWDOT2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" –force_start_minimized
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA1\MICROS3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?bd2c8fb716f74bde8637efd3d0cc13fd
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?bd2c8fb716f74bde8637efd3d0cc13fd
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA1\MICROS3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA1\MSNMES1\MSGRAP1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA1\MSNMES1\MSGRAP~1.DLL
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Loads of popups?
Critical system error?
LMAO! you have a spyware called VirusBurst
http://forums.spybot.info/showthread.php?t=7209
Use that, it will help you fix it.
-Bl4ckC4t
bl4ckc4t wrote: Loads of popups?
Critical system error?
LMAO! you have a spyware called VirusBurst
http://forums.spybot.info/showthread.php?t=7209
Use that, it will help you fix it.
-Bl4ckC4t i already knew that i had virusburst but its a different version to anything removal instructions i hav found (inc ur link) the one in ur link talks about the icon in the task bein a blue questionmark or summit mine looks like a mine and changes to look like a yellow triangle with a exclamation mark in it. thnx for trying 2 help but like i say im sure its a different version
koolkeith you can access the system volume information but you first have to allow your account to access it through the command prompt this is how
first make sure its on the C:\>
then this is what you put in,
C:\> cacls SystemVolumeInformation /G youraccountname:F
(make sure that if your account name is more than one word you use *in between the words)
that will give you access to your system information volume although there is a reason why windows doesnt allow access to it and its because anything you do in there could potentially screw up your comp you can try you luck with finding it there because there is a shit loads of files there, but personally i wouldn't do that ill say this for probably the 50th time download avg antispyware its free and it catches alot more things than spybot and adaware although that doesnt mean to unistall adaware or spybot because they still do catch some things but download avg antispyware its free and awesome.
avg antispyware should pick up everything for you though as well as many other things you may have know to be on your comp before:D
C:\WINDOWS\system32\tpedvf.dll A trojan used by VirusBursters
It loads from this entry in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\SharedTaskScheduler
also check this entry in registry HKEY_CLASSES_ROOT\CLSID\ {1a01a98c-4f25-42e1-971a-185cf63569b2}
it will have the name of the file that is to be loaded…find all the files named in that key and delete it
and if u get an error like cannot delete file or something like that…. open hijackthis click on "config" then on "Misc Tools" then click on the button "Delete File On Reboot" Do ur stuff….
"C:\WINDOWS\system32\yyhmwuro.dll",setvm I dont know what this file is…but i'm suspicious about it..try disabling it…or renaming the file….
then generate a log file again ..if it still appears …u know what to do…
after taking these steps Follow the VirusBursters Removal Instructions..(give it a try one more time)
plz post back the log file again… just to get verified…
plz update ur virus definition files too…..
tried removing the yyhmwuro.dll file- didnt work. i really dont think its in the registry and it still appears when i boot in safe mode which is unusual as i havnt had any virus that does that. i am really stumped as it dosnt show up in any task manager i hav tried so i cant find the process and it dosnt appear to be in my registry as i went through it googleing each one i wasnt 100% sure it wasnt it. if any one has any idea on how to remove a virus/adware/whatever it is that is hidden from every task manager i hav tried, dosnt appear to be in the registry and is a pain in the ass. it also causes popups in IE even when im browsing in firefox a new window appears (i dont usually use IE)
koolkeith12345 wrote: tried removing the yyhmwuro.dll file- didnt work. i really dont think its in the registry and it still appears when i boot in safe mode which is unusual as i havnt had any virus that does that.
open hijackthis click on "config" then on "Misc Tools" then click on the button "Delete File On Reboot" select the file "C:\WINDOWS\system32\yyhmwuro.dll" click yes to reboot..
if that doesnt hlp… download this "Dr.Delete" http://www.docsdownloads.com/download/DD.zip more info at:http://www.docsdownloads.com/dr-delete-1.htm
do you use: PrevX1 a Anti-Mailware/ Intrusion Prevention Software if not u would have to delete.."C:\Program Files\Prevx1\PXAgent.exe" hijack this showed missing file…may b thats a glitch…
in IE goto tools–>manage addons—check if any suspicious file is there..
post back another hijack this log…. plz verify ur virus definition files are updated