HJT Log Attached! Virus Overload!!!!

[azdork]

Ok...please bear with me because I dont really know where to begin. First let me tell you I have Webroot SpySweeper on the infected computer. During my last system scan a number of trojans were found: TROJAN-BACKDOOR-US15INFO, Spy Sheriff, trojan-backdoor-rustock and Trojan-nuwar. I decided to try and go into regedit to look for suspicous entries but every found that every time I opened regedit something would automatically close the program. This problem has now progressed to almost all programs closing seconds after I open them. When I opened HJT I barely had enough time to do perform a scan, I wasn not able to save the log though however because the program once again closed automatically right after the scan. Luckily a copy of the log is always saved in notepad but thats all I have as shown below. Please help, I have almost lost all access to the computer at this point!!! Thanks in advance.
Heather (A Newbie)

 

[kitty500cat]

Your system is infected with quite a few pieces of malware.

Have you tried booting into safe mode? When your PC is booting, hit F8 (I think that's the key) and see if you can open programs there.

--kitty

 

[kitty500cat]

Please copy and paste these instructions into a notepad file and save it to your desktop.

Boot into safe mode by restarting your computer and then pressing F8 repeatedly right after it restarts. Then be sure that 'safe mode' is selected.

Once it boots:

Open the notepad file containing these instructions.

Run HiJackThis with no other programs running except notepad.

Have it scan and save a logfile.

Have HiJackThis fix the following entries by placing a check in the box:

F3 - REG:win.ini: run=C:\WINDOWS\inet20000\services.exe

O4 - HKLM\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe

O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels1118.exe

O4 - HKCU\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe

O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe

Click 'fix checked'.

Close HiJackThis.

Go into Task Manager and end process for (if there):

nordsys.exe

Close Task Manager.

Search your computer for the following files and delete each instance of each of them (if there):

nordsys.exe

kernels1118.exe

Go into C:\Windows\inet20000\ and delete the following file(s) (if there):

services.exe

Go to C:\Windows\System32\ and delete the following files(s) (if there):

syspools.exe

Reboot your computer in normal mode and post a new HiJackThis log.

Cheers

--kitty

 

[Rik]

Some very good advice from kitty500cat.

A fresh HJT log after following the instructions would be a good idea just incase!!

Kitty500cat, have you been learning from Howard?


This thread is for the use of azdork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[kitty500cat]

Yeah, Rik. I forgot to put the red message @ the bottom though
--kitty

This thread is for the use of azdork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is riddled with nasties and you`re not running any antivirus or firewall software.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:

kitty500cat: This entry is being run as a service. O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels1118.exe

That means the service must first be stopped, otherwise fixing it with HJT won`t work.

The way to stop the service is like this, from safe mode.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

SystemTools

Close the services window.

Once that`s done, the kernels1118.exe can be manually deleted. Hope that helps.


This thread is for the use of azdork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.