Problem with W32/bugbear Virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
I have a Pentium2 PC running Win98SE.I had AVG 6 Anti-Virus running on the PC.The PC got infected by the W32/Bugbear virus.AVG picked up the virus but the PC Froze just after a normal boot.In safe mode the Virus program can remove the virus but as soon as you reboot the virus is back.I then removed AVG and scanned the PC with the bugbear removal utility from AVG without success.I downloaded Stinger from mcAfee.This anti-virus program removes the virus in safe mode but after a reboot the virus is back.In a normal boot the virus is detected by Stinger but it is unable to remove it.The virus created a file in c:\windows\system with the name yeqyfeg.dll.
I tried to delete the file manualy but I can't because I get the message that Windows is using the file.If in safe mode the file is not there to delete.
Can anyone please help me with this ??
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,301
Hiya

I've moved you to Security, where you may get more replies :)

eddie
 
Joined
Oct 9, 2001
Messages
9,396
Go here:http://www.snapfiles.com/screenshots/moveonboot.htm
Download "MoveOnBoot".......once installed you will get an extra right click context entry to "Delete file on next re-boot".........the file will be nuked before it can be put into memory by windows.

If you want someone to check things out.....
go to http://www.lurkhere.com/~nicefiles/ , and download 'Hijack This!'.....
Unzip it to its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.

;)
 

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
Here is the Hijack Logfile:

Logfile of HijackThis v1.97.7
Scan saved at 12:09:13, on 04/04/24
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TASKMON.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capetourism.org/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
 

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
Here is the startup list from HJT:

StartupList report, 04/04/24, 01:31:38 nm
StartupList version: 1.52
Started from : C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TASKMON.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
TaskMon = C:\WINDOWS\SYSTEM\taskmon.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/4/2004, 17:55:38)

[rename]
NUL=c:\WINDOWS\SYSTEM\YEQYFEQ.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 3,293 bytes
Report generated in 0.091 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
I am still unable to delete the file.When I enter the file into move-on-boot the program says file error !
 

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
Sorry . It says incorrect file name.What filename must i put in so that the yeqyfeg.dll file do not load !
 

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
OK I got the file into move-on-boot and after the reboot the file was back.I assume that there is something in the startup list that enables the file at startup.How can I find this and remove it ??
 

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
I removed the wininit.bak file as well as the yeqyfeg.dll file with move-on-boot program but as soon as the PC restarts the files are back.

Is there no one out there can solve this problem for me ??
 

Riempie

Thread Starter
Joined
Apr 22, 2002
Messages
430
Guys what is wrong!! Don't tell me that this problem is not in anyone'ns capability to solve ! please help me with this !!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top