Need Help - Hijack log included.

By pcspores
Dec 15, 2007
Topic Status:
Not open for further replies.
  1. Wow. This is my roommates computer and I have never encountered such a beast. I just got the task manager working less than 10 minutes ago (because of this site) but I would like to also include my Hijack log. Thanks for any help, guys!!!!

    <3

    (by the way, it claims my upload is "in progress" so I will provide a URL for the log.)

    Http://geocities.com/lateforthefuture/log.txt
  2. pcspores

    pcspores Newcomer, in training Topic Starter

    I cant post a link until I have 3 posts so here we go....
  3. pcspores

    pcspores Newcomer, in training Topic Starter

    and this is #3
  4. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    I don't see the Hijack log, nor a usefull URL.
    We will also likely need your computer brand and model, and a brief description of the problem.
  5. pcspores

    pcspores Newcomer, in training Topic Starter

    The URL is up there now. This PC is running on Win XP Pro, Compaq with a Pentium IV. Not much else I know about it. 512 MB RAM 2.5 GHZ
  6. evilfantasy

    evilfantasy Banned Posts: 428

    Download ViewpointKiller

    * Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
    * Double click the ViewpointKiller icon to run ViewpointKiller.exe. Select the "File" menu, and select "Check to see if you have Viewpoint installed".
    * If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

    Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with. The MsConfig instructions are very important, so be sure to read them carefully.

    Note: When done with ViewpointKiller, simply right click and delete all files that were unzipped.

    ----------

    Your system is badly infected.

    You need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HijackThis (HJT), Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
    We also need to know the result of Panda Antirootkit.

    ----------

    Why is the system not updated to SP2?
  7. pcspores

    pcspores Newcomer, in training Topic Starter

    WOW! Quite a bit of cleaning there. Here's the new logs. After I ran panda, I got no return on any rootkits. Thanks so much guys... things already seem smoother.

    For some reason, I can't upload the results of the AVG scan, which seemed to be the most productive (something like 33,000 malware found).

    Let me know if there's some more I can do for this computer.
  8. evilfantasy

    evilfantasy Banned Posts: 428

    The log may be too big for the attachment limit.

    Open a blank page in notepad and cut/paste half of the log into it and save it to the desktop, then use two attachments to upload the log.
  9. evilfantasy

    evilfantasy Banned Posts: 428

    Download KillBox here: http://killbox.net/downloads/KillBox.exe
    Save it to your desktop.
    DO NOT run it yet.


    Please download ATF Cleaner by Atribune. ATF Cleaner.exe and save it to the desktop.
    DO NOT run it yet.

    ----------

    1. Click Start.
    2. Select Control Panel.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading select Show hidden files and folders.
    6. Uncheck the Hide extensions for known file types option.
    7. Uncheck the Hide protected operating system files (recommended) option.
    8. Click Apply.
    9. Click OK.

    ----------

    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find

    WinToolsSvc

    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the drop down menu select "Disabled". Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

    ---

    1. Click on start, then settings, and then control panel.
    2. Double-click on the Add/Remove programs icon.
    3. Scroll down till you see an entry that contains the word WinTools and then uninstall it
    4. Follow all the prompts asking to uninstall and reboot when it asks.
    5. After it has rebooted fix any entries in HijackThis for WinTools
    6. Delete the following files and or folders: (in bold)

    C:\Program Files\Common Files\COMMON Files\WinTools\WToolsA.exe

    ----------

    Open HijackThis and select Do a system scan only then place a check mark next to: (if there)

    Next close all windows except for HijackThis and click Fix checked

    ----------

    1) Please print off these instructions - they will be needed later when internet access is not available.

    2) Save these instructions in word/notepad to the desktop where they can be easily found.

    ----------

    Boot into Safe Mode

    * If the computer is running, shut down Windows, and then turn off the power.
    * Wait 30 seconds, and then turn the computer on.
    * Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    * Ensure that the Safe Mode option is selected.
    * Press Enter. The computer then begins to start in Safe mode.
    * Login on your usual account.

    Double-click on Killbox.exe to run it.
    Now put a tick by Standard File Kill.
    In the "Full Path of File to Delete" box, copy and paste the following line into it.
    C:\WINDOWS\system32\procmsg.exe
    Then click on the button that has the red circle with the X in the middle.
    It will ask for confimation to delete the file.
    Click Yes.

    Then run ATF Cleaner.

    Make sure that all browser windows are closed.
    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.

    If you use Firefox browser
    * Click Firefox at the top and choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    * Click Opera at the top and choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Reboot to Normal Mode.

    ----------

    Post a new HijackThis log.
  10. pcspores

    pcspores Newcomer, in training Topic Starter

    Okay. All done. I have attached the new Hijack. Only problem was, when I ran killbox it couldn't find the file. I think I might have somehow already deleted it?

    When I entered safe mode, I realized he was using SP1... I guess I'll have to upgrade that for him as well.
  11. evilfantasy

    evilfantasy Banned Posts: 428

    Yes I noticed that, but it shouldn't be done until ALL malware is gone. Otherwise it can cause big problems.

    Press ctrl+alt+delete (all at once) and find procmsg.exe and right click it and choose End Process.

    Open Hijackthis and have it fix:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKCU\..\Run: [Windows Generic Proc] procmsg.exe
    O4 - HKCU\..\RunServices: [Windows Generic Proc] procmsg.exe


    The open My Computer from the desktop and go to C:\WINDOWS\system32\procmsg.exe and delete procmsg.exe


    Delete these files/folders, as follows:

    * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    * Save this as CFScript on the desktop.
    * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Post the combofix log and a new hijackthis log in the next reply.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.