LostinNJ
2009-11-05, 00:07
I've had Trojan horses, viruses, and malware since Friday night. Different ones are found and removed by each SpyBot or AVG scan, but then they or others show up again. This morning:
1. At startup, "svchost.exe - Application Error" window, reading: The instruction at "0x00aaaa49" referenced memory at "0x00000000". The memory could not be "read". Click on OK to terminate the program. Click on Cancel to debug the program.
2. Clicking on the close window X (because I wasn't sure if it was a legitimate message) caused a System Shutdown window to open (inc. "because the DCOM Server Process Launcher Service terminated unexpectedly").
3. Since then, startup opens only one window: RUNDLL, reading: Error loading kujejato.dll. The specified module could not be found.
4. After startup, I do a SpyBot Check for Problems complete scan, of about 660,000 files. At about 145,000, Virtumonde appears to the right of the file numbers being checked, and stays visible (with different extensions: .dll, .sdn, etc.) for most of the rest of the check. (Virtumonde, with different extensions, showed up in earliest scans, starting Friday night, but not in the last several.)
5. Lately, the scan turns up 3 or 4 entries of Win32.Agent.pz malware and Win32.ZBot Trojan. I click on Fix Selected Problems and green check marks appear, with a window that it's solved.
6. Closing SpyBot then opens a SpyBotSD.exe - Application Error window, reading: The instruction at "0x072a40c2" referenced memory at "0x0754e060". The memory could not be "read".
7. Whether I close the window or click OK, I get an Error window, reading, "Runtime error 216 at 072A40C2". Note: These are the latest numbers; after previous scans, the referenced memory at was "0x074adec8" or "0x0754e018" or others, and the runtime error 216 also read "072040C2".
8. A separate AVG scan today, right after the "selected problems" were "fixed" at SpyBot, turned up PSW.Generic7.APIQ threats in two files, which were moved to the Virus Vault, which I then emptied.
9. Later today I clicked on the Recovery button at SpyBot and saw apparently saved backups for the Win32 threats, which I then purged. But a second SpyBot scan again turned up the threats, and the backups were backed in Recovery (and then purged again).
10. Still in Recovery as backups (because I don't know if they're threats or OK) are: Fraud.Sysguard 3, WinSpywareProtect 1, Microsoft.Windows.AppFirewallBypass 2, Microsoft.WindowsSecurity.InternetExplorer 1, Microsoft.WindowsSecurityCenter.FirewallBypass 2, and MyWay.MyWebSearch 2
So, what--if anything--can I do to get rid of the threats (without losing everything in my hard drive, esp. Word files, e-mail messages, etc.)? If I see windows open up for svchost.exe - Application Error, RUNDLL (Error loading kujejato.dll), SpyBotSD.exe - Application Error, or Error (Runtime error 216), should I click on OK, or cancel (if that options exists), or the close window X, or do something else? Are those Recovery entries OK or threats? What else should I do, or know?
In other words, Helllllllllllllllp!!!!!!!!!
LostinNJ
1. At startup, "svchost.exe - Application Error" window, reading: The instruction at "0x00aaaa49" referenced memory at "0x00000000". The memory could not be "read". Click on OK to terminate the program. Click on Cancel to debug the program.
2. Clicking on the close window X (because I wasn't sure if it was a legitimate message) caused a System Shutdown window to open (inc. "because the DCOM Server Process Launcher Service terminated unexpectedly").
3. Since then, startup opens only one window: RUNDLL, reading: Error loading kujejato.dll. The specified module could not be found.
4. After startup, I do a SpyBot Check for Problems complete scan, of about 660,000 files. At about 145,000, Virtumonde appears to the right of the file numbers being checked, and stays visible (with different extensions: .dll, .sdn, etc.) for most of the rest of the check. (Virtumonde, with different extensions, showed up in earliest scans, starting Friday night, but not in the last several.)
5. Lately, the scan turns up 3 or 4 entries of Win32.Agent.pz malware and Win32.ZBot Trojan. I click on Fix Selected Problems and green check marks appear, with a window that it's solved.
6. Closing SpyBot then opens a SpyBotSD.exe - Application Error window, reading: The instruction at "0x072a40c2" referenced memory at "0x0754e060". The memory could not be "read".
7. Whether I close the window or click OK, I get an Error window, reading, "Runtime error 216 at 072A40C2". Note: These are the latest numbers; after previous scans, the referenced memory at was "0x074adec8" or "0x0754e018" or others, and the runtime error 216 also read "072040C2".
8. A separate AVG scan today, right after the "selected problems" were "fixed" at SpyBot, turned up PSW.Generic7.APIQ threats in two files, which were moved to the Virus Vault, which I then emptied.
9. Later today I clicked on the Recovery button at SpyBot and saw apparently saved backups for the Win32 threats, which I then purged. But a second SpyBot scan again turned up the threats, and the backups were backed in Recovery (and then purged again).
10. Still in Recovery as backups (because I don't know if they're threats or OK) are: Fraud.Sysguard 3, WinSpywareProtect 1, Microsoft.Windows.AppFirewallBypass 2, Microsoft.WindowsSecurity.InternetExplorer 1, Microsoft.WindowsSecurityCenter.FirewallBypass 2, and MyWay.MyWebSearch 2
So, what--if anything--can I do to get rid of the threats (without losing everything in my hard drive, esp. Word files, e-mail messages, etc.)? If I see windows open up for svchost.exe - Application Error, RUNDLL (Error loading kujejato.dll), SpyBotSD.exe - Application Error, or Error (Runtime error 216), should I click on OK, or cancel (if that options exists), or the close window X, or do something else? Are those Recovery entries OK or threats? What else should I do, or know?
In other words, Helllllllllllllllp!!!!!!!!!
LostinNJ