Need Help - Hijack log included.

[pcspores]

Wow. This is my roommates computer and I have never encountered such a beast. I just got the task manager working less than 10 minutes ago (because of this site) but I would like to also include my Hijack log. Thanks for any help, guys!!!!

<3

(by the way, it claims my upload is "in progress" so I will provide a URL for the log.)

Http://geocities.com/lateforthefuture/log.txt

 

[pcspores]

I cant post a link until I have 3 posts so here we go....

 

[pcspores]

and this is #3

 

[raybay]

I don't see the Hijack log, nor a usefull URL.
We will also likely need your computer brand and model, and a brief description of the problem.

 

[pcspores]

The URL is up there now. This PC is running on Win XP Pro, Compaq with a Pentium IV. Not much else I know about it. 512 MB RAM 2.5 GHZ

 

[evilfantasy]

Download ViewpointKiller

* Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
* Double click the ViewpointKiller icon to run ViewpointKiller.exe. Select the "File" menu, and select "Check to see if you have Viewpoint installed".
* If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with. The MsConfig instructions are very important, so be sure to read them carefully.

Note: When done with ViewpointKiller, simply right click and delete all files that were unzipped.

----------

Your system is badly infected.

You need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HijackThis (HJT), Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
We also need to know the result of Panda Antirootkit.

----------

Why is the system not updated to SP2?

 

[pcspores]

WOW! Quite a bit of cleaning there. Here's the new logs. After I ran panda, I got no return on any rootkits. Thanks so much guys... things already seem smoother.

For some reason, I can't upload the results of the AVG scan, which seemed to be the most productive (something like 33,000 malware found).

Let me know if there's some more I can do for this computer.

 

[evilfantasy]

The log may be too big for the attachment limit.

Open a blank page in notepad and cut/paste half of the log into it and save it to the desktop, then use two attachments to upload the log.

 

[evilfantasy]

Download KillBox here: http://killbox.net/downloads/KillBox.exe
Save it to your desktop.
DO NOT run it yet.


Please download ATF Cleaner by Atribune. ATF Cleaner.exe and save it to the desktop.
DO NOT run it yet.

----------

1. Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

----------

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

WinToolsSvc

Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the drop down menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

---

1. Click on start, then settings, and then control panel.
2. Double-click on the Add/Remove programs icon.
3. Scroll down till you see an entry that contains the word WinTools and then uninstall it
4. Follow all the prompts asking to uninstall and reboot when it asks.
5. After it has rebooted fix any entries in HijackThis for WinTools
6. Delete the following files and or folders: (in bold)

C:\Program Files\Common Files\COMMON Files\WinTools\WToolsA.exe

----------

Open HijackThis and select Do a system scan only then place a check mark next to: (if there)

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Windows Generic Proc] procmsg.exe
O4 - HKCU\..\RunServices: [Windows Generic Proc] procmsg.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c9.cab
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Next close all windows except for HijackThis and click Fix checked

----------

1) Please print off these instructions - they will be needed later when internet access is not available.

2) Save these instructions in word/notepad to the desktop where they can be easily found.

----------

Boot into Safe Mode

* If the computer is running, shut down Windows, and then turn off the power.
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe Mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* Login on your usual account.

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste the following line into it.
C:\WINDOWS\system32\procmsg.exe
Then click on the button that has the red circle with the X in the middle.
It will ask for confimation to delete the file.
Click Yes.

Then run ATF Cleaner.

Make sure that all browser windows are closed.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Reboot to Normal Mode.

----------

Post a new HijackThis log.

 

[pcspores]

Okay. All done. I have attached the new Hijack. Only problem was, when I ran killbox it couldn't find the file. I think I might have somehow already deleted it?

When I entered safe mode, I realized he was using SP1... I guess I'll have to upgrade that for him as well.

 

[evilfantasy]

When I entered safe mode, I realized he was using SP1... I guess I'll have to upgrade that for him as well.

Yes I noticed that, but it shouldn't be done until ALL malware is gone. Otherwise it can cause big problems.

Press ctrl+alt+delete (all at once) and find procmsg.exe and right click it and choose End Process.

Open Hijackthis and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\Run: [Windows Generic Proc] procmsg.exe
O4 - HKCU\..\RunServices: [Windows Generic Proc] procmsg.exe

The open My Computer from the desktop and go to C:\WINDOWS\system32\procmsg.exe and delete procmsg.exe


Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Generic Proc"="procmsg.exe"

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Post the combofix log and a new hijackthis log in the next reply.