TechSpot

HJT Log Attached! Virus Overload!!!!

By azdork
Dec 17, 2006
  1. Ok...please bear with me because I dont really know where to begin. First let me tell you I have Webroot SpySweeper on the infected computer. During my last system scan a number of trojans were found: TROJAN-BACKDOOR-US15INFO, Spy Sheriff, trojan-backdoor-rustock and Trojan-nuwar. I decided to try and go into regedit to look for suspicous entries but every found that every time I opened regedit something would automatically close the program. This problem has now progressed to almost all programs closing seconds after I open them. When I opened HJT I barely had enough time to do perform a scan, I wasn not able to save the log though however because the program once again closed automatically right after the scan. Luckily a copy of the log is always saved in notepad but thats all I have as shown below. Please help, I have almost lost all access to the computer at this point!!! Thanks in advance.
    Heather (A Newbie)
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Your system is infected with quite a few pieces of malware.

    Have you tried booting into safe mode? When your PC is booting, hit F8 (I think that's the key:)) and see if you can open programs there.

    --kitty
     
  3. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please copy and paste these instructions into a notepad file and save it to your desktop.

    Boot into safe mode by restarting your computer and then pressing F8 repeatedly right after it restarts. Then be sure that 'safe mode' is selected.

    Once it boots:

    Open the notepad file containing these instructions.

    Run HiJackThis with no other programs running except notepad.

    Have it scan and save a logfile.

    Have HiJackThis fix the following entries by placing a check in the box:

    F3 - REG:win.ini: run=C:\WINDOWS\inet20000\services.exe

    O4 - HKLM\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe

    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe

    O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe

    O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels1118.exe

    O4 - HKCU\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe

    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe

    O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe

    Click 'fix checked'.

    Close HiJackThis.

    Go into Task Manager and end process for (if there):

    nordsys.exe

    Close Task Manager.

    Search your computer for the following files and delete each instance of each of them (if there):

    nordsys.exe

    kernels1118.exe

    Go into C:\Windows\inet20000\ and delete the following file(s) (if there):

    services.exe

    Go to C:\Windows\System32\ and delete the following files(s) (if there):

    syspools.exe

    Reboot your computer in normal mode and post a new HiJackThis log.

    Cheers

    --kitty
     
  4. Rik

    Rik Banned Posts: 3,814

    Some very good advice from kitty500cat.

    A fresh HJT log after following the instructions would be a good idea just incase!!

    Kitty500cat, have you been learning from Howard?:)


    This thread is for the use of azdork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Yeah, Rik. I forgot to put the red message @ the bottom though ;)
    --kitty

    This thread is for the use of azdork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is riddled with nasties and you`re not running any antivirus or firewall software.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:

    kitty500cat: This entry is being run as a service. O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels1118.exe

    That means the service must first be stopped, otherwise fixing it with HJT won`t work.

    The way to stop the service is like this, from safe mode.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SystemTools

    Close the services window.

    Once that`s done, the kernels1118.exe can be manually deleted. Hope that helps.


    This thread is for the use of azdork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...