Solve : A strange virus! please help me!?

1.	Solve : A strange virus! please help me!?
Answer» My computer has been infected by a virus and I really don't know what to do. I've tried everything I could think of but no use. I couldn't find the name of this virus, so if you know about it, please help me. what's the name of this virus? I try to explain what a disaster this virus is: First of all, it doesn't allow me to install "Nod32" or "Kaspersky" and aborts their installation (even if I try to install them right after installing a fresh Windows XP on a formatted drive), and I tried "Avast!", "Panda", and "BitDefender" (all of them up to date), but they couldn't find or remove this virus, and There was not any antivirus else available! This virus doesn't allow me to see "System Properties" or run "msconfig" and "regedit". Also it doesn't allow me to see hidden files and folders (even when I change the setting for showing hidden files in "FOLDER Option"), and when I try to see hidden files using other softwares, say "WinNC3000", this virus closes that software. Another change is that in Right CLICK menu on every drive except drive "C" (Windows Drive), "OPEN" and "Explore" items are shown in some unknown CHARACTERS and they don't work. Also, there are to unknown processes in "Task Manager", "yreghpl.exe" and "wbegdwp.exe". I can't end them because they open again immediately. The worst problem is that even I format my Windows drive and install a fresh windows, Immediately after installation, this virus is active! I have lots of information and data on my hard disk and definitely don't want to lose any of them. Please Help me!!!!You said you formatted...but you still have all of your data? Did you actually format, or did you simply reinstall Windows? Those running processes make me suspect Vundo. Go ahead and download/save HijackThis to C:\Program Files\HJT and post a LOG here (it may take several posts).Quote from: CBMatt on July 11, 2007, 06:32:59 AM You said you formatted...but you still have all of your data? Did you actually format, or did you simply reinstall Windows? Those running processes make me suspect Vundo. Go ahead and download/save HijackThis to C:\Program Files\HJT and post a log here (it may take several posts). by formatting I meant I formatted my Windows Drive (C:)...not all the hard disk. As you said, I downloaded/saved Hijack This to c:\program files, but wen I run it (I mean when I double click it nothing happens. what am I spoused to do? log? what log? where is it? 1. go here and download the hijackthis.zip 2.make sure the zip file is on your desktop. Make a folder on your desktop named hijackthis. If you are using the basic windows extractor please open the zip by double clicking it and go to file extract all. The wizard should open up. Click next, click browse and find the folder you made on the desktop. Then click next. 3.now go to the folder on your desktop, open it double click on the icon in the folder. Click the button that says “do a system scan and save a logfile. 4.once the notepad opens up please copy the compete log to a new post in this topic, remember it might take more than one post to fit the complete log. It's strange! "HijackThis" doesn't work! when I double click on it, nothing happens! the first time when I run it, "yreghpl.exe" crashed and I see an error (send to microsoft) but of course this process didn't stop and immediately began again. Now when I run "HijackThis" again, simply nothing happens! If it's ability to run is being blocked by the infection you could try renaming it to HJT2.exe or similar.Yes, renaming it is definitely the first thing you should try. Give it a random inconspicious name...like subzeroking.exe. Also...these filenames with random letters lead me to suspect Vundo, so go ahead and try this... 1. Download VundoFix and save it to your desktop. 2. Run VundoFix and click on Scan For Vundo. 3. Once it's done scanning, click on Remove Vundo. 4. When it prompts you to remove the files, click on Yes. 5. Your desktop will go blank as it's removing files. Don't worry, this is normal. 6. It will prompt you to restart your computer, so click OK. 7. When your computer is turned back on, your problem should be gone. 8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post. And then, just to be thorough... 1. Download VirtumundoBeGone and save it to your desktop. 2. Reboot into Safe Mode. 3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions. 4. Exit when it has finished and reboot back into normal mode. 5. The program normally produces a VBG.txt file. Please locate this file and paste the contents in your next post.First of all, I should say that I really appreciate your help. thank you! I tried everything that CBMatt said, but VundoFix found nothing. At last I managed to run "HijackThis" (by renaming it) and get a log file. But before I post the log file I should say that first I ended all processes that I was able to (and I knew all of them) then I ran "HijackThis". Logfile of HijackThis v1.99.1 Scan saved at 4:27:05 PM, on 7/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\yreghpl.exe C:\Program Files\Common Files\System\vbegdwp.exe C:\Documents and Settings\Subzero\Desktop\hijackthis\HJT2.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [] C:\Program Files\Common Files\Microsoft Shared\ O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [ulmasjm] C:\Program Files\Common Files\System\vbegdwp.exe O4 - HKLM\..\Run: [bptnsvr] C:\Program Files\Common Files\Microsoft Shared\yreghpl.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O11 - Options group: [TABS] Tabbed Browsing O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/programs/OnlineScanner.cab O20 - AppInit_DLLs: qhbpri.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) Hm...although you say VundoFix came up with nothing, I still suspect it... First of all, go to VirusTotal and scan the following files... C:\Program Files\Common Files\System\vbegdwp.exe C:\Program Files\Common Files\Microsoft Shared\yreghpl.exe C:\WINDOWS\system32\qhbpri.dll Once you have scanned them, please post the results here. After doing so, go ahead and delete these files in Safe Mode. Along with your VirusTotal results, post a new HijackThis log and we'll take things from there.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged. If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Answer»

My computer has been infected by a virus and I really don't know what to do. I've tried everything I could think of but no use. I couldn't find the name of this virus, so if you know about it, please help me. what's the name of this virus?
I try to explain what a disaster this virus is:
First of all, it doesn't allow me to install "Nod32" or "Kaspersky" and aborts their installation (even if I try to install them right after installing a fresh Windows XP on a formatted drive), and I tried "Avast!", "Panda", and "BitDefender" (all of them up to date), but they couldn't find or remove this virus, and There was not any antivirus else available!
This virus doesn't allow me to see "System Properties" or run "msconfig" and "regedit". Also it doesn't allow me to see hidden files and folders (even when I change the setting for showing hidden files in "FOLDER Option"), and when I try to see hidden files using other softwares, say "WinNC3000", this virus closes that software.
Another change is that in Right CLICK menu on every drive except drive "C" (Windows Drive), "OPEN" and "Explore" items are shown in some unknown CHARACTERS and they don't work.
Also, there are to unknown processes in "Task Manager", "yreghpl.exe" and "wbegdwp.exe". I can't end them because they open again immediately.
The worst problem is that even I format my Windows drive and install a fresh windows, Immediately after installation, this virus is active!
I have lots of information and data on my hard disk and definitely don't want to lose any of them.
Please Help me!!!!You said you formatted...but you still have all of your data? Did you actually format, or did you simply reinstall Windows?

Those running processes make me suspect Vundo. Go ahead and download/save HijackThis to C:\Program Files\HJT and post a LOG here (it may take several posts).Quote from: CBMatt on July 11, 2007, 06:32:59 AM

You said you formatted...but you still have all of your data? Did you actually format, or did you simply reinstall Windows?

Those running processes make me suspect Vundo. Go ahead and download/save HijackThis to C:\Program Files\HJT and post a log here (it may take several posts).

by formatting I meant I formatted my Windows Drive (C:)...not all the hard disk.

As you said, I downloaded/saved Hijack This to c:\program files, but wen I run it (I mean when I double click it nothing happens. what am I spoused to do? log? what log? where is it? 1. go here and download the hijackthis.zip
2.make sure the zip file is on your desktop. Make a folder on your desktop named hijackthis. If you are using the basic windows extractor please open the zip by double clicking it and go to file extract all. The wizard should open up. Click next, click browse and find the folder you made on the desktop. Then click next.
3.now go to the folder on your desktop, open it double click on the icon in the folder. Click the button that says “do a system scan and save a logfile.
4.once the notepad opens up please copy the compete log to a new post in this topic, remember it might take more than one post to fit the complete log.
It's strange! "HijackThis" doesn't work! when I double click on it, nothing happens! the first time when I run it, "yreghpl.exe" crashed and I see an error (send to microsoft) but of course this process didn't stop and immediately began again.
Now when I run "HijackThis" again, simply nothing happens!
If it's ability to run is being blocked by the infection you could try renaming it to HJT2.exe or similar.Yes, renaming it is definitely the first thing you should try. Give it a random inconspicious name...like subzeroking.exe.

Also...these filenames with random letters lead me to suspect Vundo, so go ahead and try this...

1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post.

And then, just to be thorough...
1. Download VirtumundoBeGone and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode.
5. The program normally produces a VBG.txt file. Please locate this file and paste the contents in your next post.First of all, I should say that I really appreciate your help. thank you!
I tried everything that CBMatt said, but VundoFix found nothing.
At last I managed to run "HijackThis" (by renaming it) and get a log file. But before I post the log file I should say that first I ended all processes that I was able to (and I knew all of them) then I ran "HijackThis".

Logfile of HijackThis v1.99.1
Scan saved at 4:27:05 PM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\yreghpl.exe
C:\Program Files\Common Files\System\vbegdwp.exe
C:\Documents and Settings\Subzero\Desktop\hijackthis\HJT2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [] C:\Program Files\Common Files\Microsoft Shared\
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ulmasjm] C:\Program Files\Common Files\System\vbegdwp.exe
O4 - HKLM\..\Run: [bptnsvr] C:\Program Files\Common Files\Microsoft Shared\yreghpl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/programs/OnlineScanner.cab
O20 - AppInit_DLLs: qhbpri.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
Hm...although you say VundoFix came up with nothing, I still suspect it...

First of all, go to VirusTotal and scan the following files...

C:\Program Files\Common Files\System\vbegdwp.exe
C:\Program Files\Common Files\Microsoft Shared\yreghpl.exe
C:\WINDOWS\system32\qhbpri.dll

Once you have scanned them, please post the results here. After doing so, go ahead and delete these files in Safe Mode. Along with your VirusTotal results, post a new HijackThis log and we'll take things from there.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Solve : A strange virus! please help me!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment