Following Posting Directions

P4 2.2 GHZ
XP Home
512 MB RAM
30 Gig HardDrive


I can not seem to get rid of a virus (installer.exe) so I am in the process of following the directions so I can post my results after using HiJack This....

I am up to the: Scanning and Cleaning Steps and Trend's Micro Free Online
Virus Scan it picked up two infected System files:

TROJ CLICKER AS Can not access
1. C:\\Windows\System32\Config\systemprofile\LocalSettings\Temp...

WORM RBOT.GEN Can not access
2. C:\\Windows\System32\wuamk032.exe

Can these be deleted? I didn't delete them, but then I couldn't complete the next step the Symantec Security Check. The system hangs here.

Thanks in advance!

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner. After you have completed this scan above procede with the below.


Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I ran the Sysclean package and HiJack This as detailed. I still have two viruses (installer.exe and another which only pops up occasionally).

I can't get the attachment to upload. It times out every time. I even tried it on a clean pc???

Once infected computer booted the browser is hijacked:

htt://mynbx247.info

I am also getting an error dialogue box that simply says:

Error: Loader couldn't initialize service!

 

If you cant upload the log then copy and paste the HJT log inline and I will convert it for you.

 

Thanks!

Inline log attached!

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Viewpoint


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [ZoneEdit] C:\WINDOWS\System32\uzfdy.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamk032.exe
O4 - HKLM\..\Run: [Microsoft Update 32] wininit.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamk032.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] wininit.exe
O4 - HKCU\..\Run: [update.exe] C:\update.exe

O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\uzfdy.exe

C:\WINDOWS\System32\wuamk032.exe

C:\WINDOWS\system32\1.tmp

C:\update.exe

wininit.exe ←–– Search for this file and delete when found!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Completed all steps.This time browser wasn't hijacked after normal boot! Nor did AVG pick up on the installer.exe file.

Here is the latest log file.

And THANK YOU for all the help.

 

New HJT log attached.

Other than problem below, things seems to be working smoothly!

Ran into unrelated problem. This is a friend's computer and he never installed XP Service Pack 2. In the middle of this installation, computer froze and it didn't complete the Service Pack 2 install. It now it says system is unstabland it needs to be uninstalled. When uninstalling using Add/Remove Programs it lists all programs on the pc and says uninstalling SP2 may make them unstable?? Do I go ahead anyway?

Sorry if this isn't the place to ask this question..

 

Sorry about that. After cleaning up some of the issues the Automatic Windows update box began to work again and reported the SP2 Critical update needed to be installed. I realize now, I should have waited. When I posted without reporting it, I thought it would simpley be a matter of uninstalling the partial installation. I didn't realize it would detect all pc programs and say they may become unstable.

Attached is the log file.

Thanks for your patience!

 

Uninstalled BitDefender.

Followed instructions.

When I executed Hijack.exe the following happened.

1. An msdos window opens titled C:\Windows\System32.cmd.exe with a flashing cursor. Had to be manually closed

2. A dialogue box popped up with the following error message.
"Your current security settings prohibit running Activ X controls on this page. As a result the page may not display properly."
Clicked ok and the browser completed opening and the URL displaysed

c:\temp\update.html

This browser page displays the instructions on installing the Active X Control

 

Deleted Windows Process Moniter Service as instructed.

Went to instructions on malwre page and followed all steps. Installed ZoneAlarm and ran:
AVG free
Spyware Blaster
Ad-Aware SE
CC Cleaner

Still having windows SP2 update problem as detailed in earlier post. Posted problem on Software forum for advice. Nothing yet.

 

Thank you so much for all your help!