Need urgent help with virus, winh32

[mcgilles]

I hope someone can help me remove a virus from a computer. its running windows XP.

anti-virus captures winh32.exe as a trojen (among other things). It keeps showing up. the desktop background is being changed to a screen which says "Warning! Spyware threat has been detected on your PC." it goes on to say that unauthorized access was gained by another computer. I cannot bring up the task manager because the option is greyed out (spybot found the reg key which is doing this, but it reappears after being removed) I am also getting pop ups and security warnings in the taskbar. one of the pop-ups is a suspicious looking window with poorly formatted graphics, it has links to some pay-ware anti-spyware stuff.

I have run spybot and adaware, it has avast 4 antivirus. I will post the hijack this and combofix logs below. I would greatly appreciate any help anyone could offer to clear this computer.

(Moderator edit: Please do not copy and paste your logs. Instead, post them as attachments only in either .txt or .log format. To learn how to attach a log file, please see HERE.)

 

[evilfantasy]

Delete/uninstall the version of HijackThis you have.

Go HERE and download the new version of HijackThis.

Run a new scan and save the log to your desktop. Then please post all logs as an attachments.

To add attachments, when replying click the Post Reply button >> << and scroll down to where it says Manage Attachments.

 

[mcgilles]

sorry! I guess I had an out of date version, attached is the new log. I ran this in safe mode, I can run it in normal mode if that would make a difference in the resident processes.

Thanks in advance for your help!

 

[evilfantasy]

Yes normal boot mode is needed.

 

[mcgilles]

here is a normal boot mode log.

 

[evilfantasy]

Open HijackThis and select "Do a system scan only"

Place a check mark next to:

O2 - BHO: qiawpbjj.msdn_hlp - {66E72884-4FD2-464F-A6B8-468F31C40E36} - C:\WINDOWS\system32\qiawpbjj.dll (file missing)

Now click on "Fix checked"

=====

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
qiawpbjj.dll

Registry::
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66E72884-4FD2-464F-A6B8-468F31C40E36}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

=====

Next post please attach the
combofix.txt
A NEW HijackThis log

 

[mcgilles]

Thank you so much for your help. I can already see an improvement in the situation. here are the latest logs.

 

[evilfantasy]

Open HijackThis and select Do a system scan only

Place a check mark next to

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

Close all windows and click Fix checked

======

Requires Internet Explorer

Use the ESET Nod32 Online Scanner
Click YES, I accept the Terms of Use. Then click Start
The scan report is saved by default in C:\Program Files\EsetOnlineScanner\log.txt
Add the EsetOnlineScanner\log.txt in your post as an Attachment

===

Post the ESET scan log and a new HijackThis log in the next post.