Had an account hacked, don't know if I still have virus or not

[kase8288]

Hello,

I recently had an account of mine hacked and I'm not really sure how. I'm normally pretty careful about running antivirus/spyware programs and I use firefox with noscript. Anyways I downloaded a couple more antivirus programs and they deleted some stuff but I'm not sure it got rid of everything. I was wondering if anyone could tell me what my hijackthis log says. I'm not really computer savvy. Thanks!

 

[Bobbye]

You re running three antivirus programs> Symantec, AVG and Avast. Please uninstall two of them. If you want to uninstall Symantec, use the Norton Removal Tool.

You have a MyWaySearch infection.
Please reopen HijackThis to 'do system scan only'
Check the following entries if present: Note: Don't click on Fix Checked until all the checks are in
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: (no name) - *{03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
(SpywareStop (of Spyware Stop) is a fake anti-spyware program that behaves very aggressively
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Close all Windows except HijackThs and click on 'Fix Checked.'

Remove Real Time Protection:
SPYBOT TEATIMER

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• Click on the "System Startup" icon in the List
• Uncheck the "TeaTimer" box and "OK" any prompts.
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.
• When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.

When all of the above has been completed:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HJT. Attach new log and Combofix report.


Sumary:
Remove 2 of the 3 AV programs.
Do full sysrem scan with remaining AV
Disable TeaTimer
Run Combofix Attach Report.
Rescan w/HJT. attach new log.

 

[kase8288]

So i followed the directions you gave me and now I can't connect to the internet. Everything was fine until I ran the comboxfix program and my computer reset and now I can't connect to the internet. Everytime I try it says "Connection Failed!". I tried restarting the computer and before it restart it gave me a message with something about
"Generic host process for win32 services"... help please!

 

[Bobbye]

Looks like site problems yesterday as the color on the tags didn't work.

Uninstall Combofix:
To uninstall ComboFix.exe And all Backups of files that it deleted

• Click START> RUN
• Type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  
• When shown the disclaimer, Select "2"

Then reboot and see if your connections is working.

As for:

something about
"Generic host process for win32 services".

This covers a lot of territory! I can't troubleshoot an error if I don't know what it is! Either tell me what was given for "something about" or find the corresponding Error in the Event Viewer:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:

• 
  [1]. Click to open the log>
  [2]. Look for the Error>
  [3] .Right click on the Error> Properties>
  [4]. Click on Copy button, top right, below the down arrow >
  [5]. Paste here (Ctrl V)
  [6].NOTES
  • You can ignore Warnings and Information Events.
  • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
  • You don't need to include the lines of code in the box below the Description, if any.
  • Please do not copy the entire Event log.
  
  Errors are time coded.
  
  As you read:
  

  Do not click on the ComoboFix window, as it may cause it to stall.
  
  CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

  
  If the program did stall, it wouldn't have completed and restored the connection. Normally when I have someone run Combofix, IF there is any problem, it tends to occur once in a while at the download time.
  
  By any chance, did Combofix run? Do you have the report? If Yes, can you load it onto a flash drive and send it here?

 

[kase8288]

ok so I did the uninstall and restarted and it did nothing for my connection

Everytime I logoff i get a box that comes up and says...
"Generic host process for win32 services has encountered a problem and needs to close." I clicked on more details and it gave me a bunch of things

"SzAppName:Svchost.exe, SzAppVer: 5.1.2600.5512, SzModVer: 0.0.0.0 ,
Offset: 73d223b5 , SzModName: Unknown"

also there was two file names

C:\Docume~1\locals~1\Temp\WER1c90.dir00\svchost.exe.mdmp
" "appcompat.txt

This was the generic hose thing i was talking about, I had never had that come up until that combofix program ran and now it always happens and I can't connect to the internet. I also wasn't able to find the .txt file for the combofix but I know it ran all the way.

 

[Bobbye]

Please follow my direction for accessing the Event Viewer and look for any Error happening at the same time. Hopefully that will lead us to which Service is having the problem.

You do not need the internet for this.

It is most likely that malware has caused the problem, not Combofix.

C:\Docume~1\locals~1\Temp\WER1c90.dir00\svchost.exe.mdmp
" "appcompat.txt

From AskLeo:

Appcompat.txt is simply a reporting file used when uploading error reports to Microsoft. You've seen the message asking you if you would like to "report this error to Microsoft"? Appcompat.txt is a file that is uploaded if you say yes.

Appcompat.txt is not the problem. It contains information about the problem. Open it up in notepad, and you'll see what I mean. When you get an error message that references appcompat.txt, it'll usually give you the full path to the file. So click on Start, Run and enter:

notepad C:\DOCUME~1\username\LOCALS~1\Temp\WER7b4e.dir00\appcompat.txt

Where "C:\DOCUME~1\username\LOCALS~1\Temp\WER7b4e.dir00\appcompat.txt" is replaced with the actual information that was presented in the error message. You'll see a lot of technical information that begins with this:
<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>

Followed by information about the program that was running at the time an error occurred. Note: it's not meant that you understand this. It's meant for the engineers back at Microsoft to use to analyze failures and hopefully provide fixes over time. I point it out here, simply to drive home the point.

Details for file extension: MDMP - WinXP Trouble Report (Microsoft Corporation) - The extension is added to file to be sent to Microsoft.

 

[kase8288]

I'm sorry didn't get this earlier had to find a computer with internet!