I went through the Basic S.T.V. Removal steps - can somone read my HJT log?

Hi,

My computer was infected with the "Spyware detected! system error #384" along with the desktop warning page about how my life is in danger. Luckily I found this site and the removal procedures outlined in one of the threads. I followed the 7 page outline and the only program I couldn't get to run was RAV Antivirus. It appears that it worked, EXCEPT, now there is just a big white window (where the bright red warning page used to be) on my desktop. I ran another check with Spyware doctor and no infections are indicated. Can someone take a look at this for me - I can attach the HJT log file when ready. Thanks

 

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Thanks for your reply. Here is the attached HJT log.

 

Is EarthLink or PeoplePC your ISP?

 

Right now it is PeoplPC....it used to be Earthlink.

 

Download
- Pocket Killbox

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Look in Add or Remove Programs in the Control Panel and unistall the following:

Unless you put this in the Internet Explorer Trusted Zone, remove it:

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Do yo know what this is? If not have HJT fix this line also:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

1. Skip this step if you didn't fix the O23 line. Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to WindowInstallSystem (4605c13b032svr) ( ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WindowInstallSystem (4605c13b032svr)

NOTE the service may be listed as 4605c13b032svr.

2. Open Windows Explorer navigate to and DELETE the following:

Reboot post a new HJT log.

 

Shadow_Puter_Dude,

Thanks much for the step by step instructions. I was able to do everything except delete the following file:

O23 - Service: WindowInstallSystem (4605c13b032svr) - Unknown owner - C:\WINDOWS\4605c13b032.exe

I tried to delete it in HJT and it said:

The service '4605c13b032svr' is enabled and/or running. Disable it first, using Hijackthis itself (from the scan results) or the Services MSC window.

I also couldn't find the file in Windows Explorer. Is there anything else that can be done?

Attached is the latest log. Thanks for your help!

 

From Add or Remove Programs in the Control Panel unistall the following:

Have HJT fix the following:

Exit HJT

Reboot into Safe mode.

Open Windows Explorer and Delete the Following:

Exit Windows Explorer

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to WindowInstallSystem (4605c13b032svr) ( ... then right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WindowInstallSystem (4605c13b032svr)

NOTE the service may be listed as 4605c13b032svr.

Reboot

Have HJT fix the following:

Post a fresh HJT log.

 

I'm not sure what the deal is but "Wild Tangent" was not in the Programs window of the Control Panel.

When I went into the "services.msc" box, the only file close to "WindowInstallSystem (4605c13b032svr)" was "Windows Installer" which I did disable.

I again tried to copy/paste "WindowInstallSystem (4605c13b032svr)" into the "Delete an NT Service" box but it stated it couldn't find it in the Registry.

The large white window on the desktop is still there. Any ideas on what I'm doing wrong?

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to WindowInstallSystem (4605c13b032svr) ( ... then right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

4605c13b032svr

Have HJT fix the following:

Reboot post a fresh HJT log.

I don't see a software firewall running, if you don't have one installed, I highly recommend you install one.

 

Not sure where that program is hiding........I get through this part "Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.".......But

WindowInstallSystem (4605c13b032svr)

is not there.

I then go to HJT to "Delete an NT service", I copy/paste in

4605c13b032svr

and get the following:

The service '4605c13b032svr' is enabled and/or running. Disable it first, using Hijackthis itself (from the scan results) or the Services MSC window.

Are there bigger guns to use?

 

OK, doesn't like that, try this instead.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to WindowInstallSystem or 4605c13b032svr (It will be one or the other) then right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

4605c13b032svr

Have HJT fix the following:

Reboot post a fresh HJT log.

 

When I get to the box in "Services MSC" and scroll down, the only thing close to "WindowInstallSystem or 4605c13b032svr" is "Windows Installer".

I disabled that and went through HJT to "Delete an NT Service" on:

4605c13b032svr

but keep getting the box saying:

The service '4605c13b032svr' is enabled and/or running. Disable it first, using Hijackthis itself (from the scan results) or the Services MSC window.

It seems the only evidence that the file exists is in HJT!

 

Download and install
- Registrar Lite

OK boot into safe mode and do the follwoing:

Run Registrar Lite

Navigate to the following key:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services

Locate the service 4605c13b032svrand DELETE it.

Have HJT fix the O23 line.

Reboot and post a fresh HJT log.

 

chaslang,

Followed "Fixing Locked Desktop" from your 08/17 post and it worked! Thanks for the help.

Shadow_Puter_Dude,

Thanks for all your help...I will run that last program and get a software firewall too!

 

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

4605c13b032

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.