HJT log for the possessed PC

[glowingnissan07]

told to post this here from Howard Hopkinso



Keep in mind this is on Safemode (Windows Domain Controllers only)
and that on Normal Mode, i got an INS application error on bootup that I traced to "winupdates.exe". apparently it didn't show up here, and ive been told its a worm.

 

[howard_hopkinso]

Your HJT log is out of date.

The latest version of HJT is 1.99.1.

Obtain the latest version and post a fresh HJT log into this thread as an attachment please.

Regards Howard

 

[glowingnissan07]

Yea yea yea...its attachd

HJT 1.99

 

[howard_hopkinso]

Go HERE and this time follow the instructions.

Then, post a fresh HJT log.

Regards Howard

 

[glowingnissan07]

Ok ok howard, I followed ur instructions EXACTLY. As you will see, even though Eqido cleaned certain threats, my HJT log still has the same apps on the list. I'm assuming thats not supposed to happen.

If its worth knowing, I had to install Ewido on THIS PC to get the update package, and then installed Ewido on my PC and then pasted the extra signatures in the Signature Folder, so I had the same update package as this one.

After running Ewido the first time, I couldn't run a number of apps, including HJT. I kept getting the annoying illegal operation error that asks u to send an error to report to Microsoft. I Decided to reset, but apparantly logonui.exe was illegal too. I noticed in all the apps errors this in Error Signature:

szModName: clbcatq.dll

I'm not sure if thats relevant...but what the heck, the more info the better I guess.

Anyway I got it log off, but it got stuck on Saving Settings, and never finished, so it never shut off. My only option was to go a manual reset. Everything booted up normaly and ran normally, all the apps. But I got to Windows and got one of those errors, suprisingly not a Run-time Error:

isactiveguard:RegOpenKeyEx failed 2 0

im almost positive that has to do with the newly installed Ewido though.

Anyway, the reports are attached, so have urself a look. The scan report is from Ewido which will show u what it cleaned. Compare with HJT log after the reset.

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

winupdate
winupdates

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

p2pnetworking
winupdates
winupdate

close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

PowerReg Scheduler V3.exe
p2pnetworking.exe
winupdates.exe
winupdate.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto

O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe

O4 - Startup: PowerReg Scheduler V3.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

PowerReg Scheduler V3.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\winupdate\winupdate.exe
p2pnetworking.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.


Regards Howard

 

[glowingnissan07]

suprisingly this pass went perfectly smooth. :approve:

I went on in Safe Mode (NOT Windows Domain Controllers Only) and did everything you said.

winupdates.exe and p2pnetworking.exe was nowhere to be found except on HijackTHis, so i fixed them, now they're gone.So far, not a single crash, but im running a defrag cuz so far everytime its crashed on that. Ill let you know if i still have the problem.

Im posting 3 HJT's, #3 = HJT before fix in safemode
#4 = HJT after the fix in safemode
#5 = HJT after the fix in normal mode

 

[howard_hopkinso]

Well done, your HJT log is now clean.

Regards Howard