TechSpot

Need urgent help with virus, winh32

By mcgilles
Nov 30, 2007
Topic Status:
Not open for further replies.
  1. I hope someone can help me remove a virus from a computer. its running windows XP.

    anti-virus captures winh32.exe as a trojen (among other things). It keeps showing up. the desktop background is being changed to a screen which says "Warning! Spyware threat has been detected on your PC." it goes on to say that unauthorized access was gained by another computer. I cannot bring up the task manager because the option is greyed out (spybot found the reg key which is doing this, but it reappears after being removed) I am also getting pop ups and security warnings in the taskbar. one of the pop-ups is a suspicious looking window with poorly formatted graphics, it has links to some pay-ware anti-spyware stuff.

    I have run spybot and adaware, it has avast 4 antivirus. I will post the hijack this and combofix logs below. I would greatly appreciate any help anyone could offer to clear this computer.

    (Moderator edit: Please do not copy and paste your logs. Instead, post them as attachments only in either .txt or .log format. To learn how to attach a log file, please see HERE.)
  2. evilfantasy

    evilfantasy Banned Posts: 428

  3. mcgilles

    mcgilles TS Rookie Topic Starter

    sorry! I guess I had an out of date version, attached is the new log. I ran this in safe mode, I can run it in normal mode if that would make a difference in the resident processes.

    Thanks in advance for your help!
  4. evilfantasy

    evilfantasy Banned Posts: 428

    Yes normal boot mode is needed.
  5. mcgilles

    mcgilles TS Rookie Topic Starter

    here is a normal boot mode log.
  6. evilfantasy

    evilfantasy Banned Posts: 428

    Open HijackThis and select "Do a system scan only"

    Place a check mark next to:

    O2 - BHO: qiawpbjj.msdn_hlp - {66E72884-4FD2-464F-A6B8-468F31C40E36} - C:\WINDOWS\system32\qiawpbjj.dll (file missing)

    Now click on "Fix checked"

    =====

    Delete these files/folders, as follows:

    * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    * Save this as CFScript on the desktop.
    * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    =====

    Next post please attach the
    combofix.txt
    A NEW HijackThis log
  7. mcgilles

    mcgilles TS Rookie Topic Starter

    Thank you so much for your help. I can already see an improvement in the situation. here are the latest logs.
  8. evilfantasy

    evilfantasy Banned Posts: 428

    Open HijackThis and select Do a system scan only

    Place a check mark next to

    O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
    O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
    O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
    O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
    O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
    O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
    O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
    O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
    O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
    O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
    O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

    Close all windows and click Fix checked

    ======

    Requires Internet Explorer

    Use the ESET Nod32 Online Scanner
    Click YES, I accept the Terms of Use. Then click Start
    The scan report is saved by default in C:\Program Files\EsetOnlineScanner\log.txt
    Add the EsetOnlineScanner\log.txt in your post as an Attachment

    ===

    Post the ESET scan log and a new HijackThis log in the next post.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.