Jacked again...

This time, the problem started when I was extracting a packaged executable. There was an executable within the package that was made to run on my machine after extracting everything else in the package. This "run.exe" installed several files in my WINDOWS and system32 folders, and caused some new processes to appear. Also, my winlogon.exe requested an internet connection. I followed the outlined procedures in the READ ME thread (except I ran the online scans in Normal Mode, I couldn't boot into Safe Mode with Networking, the computer just hung at the login screen), and the problem has not yet been fixed (I also ran CWShredder since SpyBot detected some instances of CWS). My HJT log is attached.

Can someone provide me some guidance on this problem?

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the instructions in the following thread
Running Spy Sweeper

Post a fresh HijackThis log and the Spy Sweeper log once you have completed the above.

 

After running cleanmgr, and attempting to reboot, I've found that I am unable to boot normally into Windows. The boot up process hangs at the "Windows is starting up..." screen.

Recommendation here?

 

Oh, also, there was no "ibm00001.exe", however, there WAS a "ibm00002.dll" in the same folder. I did not delete it, because I was not sure about it. I did follow all the other instructions up until the point I mentioned in the previous post.

 

Sometimes, it will hang. Just let it go for a while, and if it does not come up, boot into Safe Mode and reboot again.

 

I have tried rebooting several times, both normally and in the method you described (booting into Safe Mode first, then rebooting) and the system always hangs at that screen. I have left the computer sit for 30 minutes just to make sure of whether it would or would not finish booting.

Also, the O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll entry has reappeared in HJT, only with a different filename.

Further recommendations?

 

OK, that means Windows is hanging while trying to load a service. Post a HijackThis log.

 

Here's a fresh log. By the way, I've been running all of this from the Administrator account in Safe Mode, and not my own account (the one I use daily), is that a problem at all?

 

According to your HijackThis log you are using MSCONFIG to disable something. Whatever you are diabling with MSCONFIG, please enable, so that I can see what it is and whether or not it needs to be fixed

Please run SpySheriff (aka SpywareNo) Removal

 

Under "Services" or "Startup"? I'm not sure what you would like me to enable.



EDIT: Also, would it be alright for me to shutdown the computer for now? I've got to run for dinner, but can be back after that.

 

Enable everything you are using MSCONFIG to disable. It would be better if you leave it running for now, some malware infections mutate at system restart.

 

Alright, I will reenable everything in MSCONFIG, and I will leave the laptop powered on as it is (I'll get it plugged in while I eat). I'll return after that.

Also, would you like me to run the SpySherrif removal now, or later?

Thanks for helping me out with this!

 

You can run it after you get back.

 

Before or after reenabling everything in MSCONFIG, and presumably before giving you another HJT log?


EDIT: Also, I assume that I should follow the reboot instructions within the SpySherrif removal process?

 

Run it after you reenable everything in MSCONFIG, and yes give me a new HJT log after you have done everything.

 

Unfortunately, I accidentally restarted the computer when Power Management shut the monitor off, and I tapped the power button to try to "wake it up". In any case, I reenabled everything in MSCONFIG, restarted the machine to let all the services and processes run normally. Then I ran the "SpySherrif Removal" procedure you directed me to, with the exception of the final reboot. Would you like me to reboot and post a fresh HJT log, or just get you an HJT log without the reboot?

 

Reboot and then run HijackThis.

 

Sorry for the delay, I've just discovered that nobody has faith in floppy disks anymore (and therefore lack floppy disk drives - floppy disks are my only reliable means of transferring small files with my laptop in its current state). Also, I've just discovered that (at least for the past 4 hours) viewing of hidden files and folders, file extensions, and system files has been OFF. I have enabled all of them now, although I do not know for how long it has truly been off. In any case, as per your instructions, here is a fresh HJT log from Safe Mode.

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

If I cannot boot into Safe Mode with Networking, or Normal Mode, I suppose I should run the two offline scans and ignore the online scan?

 

Yeah, forget the online scan.

 

The Qoologic scan took a fair bit of time, but the RKTOOLS scan has been sitting here for a while at "Checking system folder...." Is this scan supposed to take a while?



EDIT: Ah, there it goes. It finally finished. I'll post logs now.

 

RKFiles Tool can take sometime to run.

 

B]Run CCleaner before doing the below.[/B]

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

It's scanning now. Will I also need to do all of this on other user accounts on this PC, or just the Administrator account? (My own account is what I was using when the infection occurred, would that make a difference?)


Wow, that scan finished faster than I thought it would, maybe about 10-15 minutes? And it created a log file for me it seems. I'll attach that here.

 

You should run the scans on all accounts, at some point.

 

Oh, that will be loads of fun. All of these scans? Or only if the accounts are dirty?

 

Your logs are not showing anything that would explain why you system will no longer boot to Normal Mode and hangs on teh Windows screen. You may have to resort to a Repair Install to correct this issue.

 

Should be all accounts, I's start with the ones used the most.

 

Well, I'm running all of these from the account "Administrator" in Safe Mode, there are two other accounts for family members on this computer, but they have not been used since some time around Spring 2005. My personal account is the one that is used primarily. Anything new from that last bunch of scans?


EDIT: Oh, I didn't see the response above. I'll try booting into Normal Mode, if it hangs, I'll let you know.

 

Nothing new. Running the scans from the Administrator Account will catch most of the stuff, you should definitely run the scans from your account also.

 

Okay, it seems to be hanging at the same spot in the booting process. I will try running through scans and removal on my personal account in safe mode, and then if it still does not boot normally, I'll let you know.


EDIT: A repair install just replaces system files that are corrupted/missing, right? Will this have any effect on OS updates such as service packs and other updates?


EDIT 2: It was suggested by a friend of mine (who is fairly knowledgeable about computers himself) that if I cannot boot normally, or into Safe Mode with Networking, then the problem may be related to my network procedures/services. Just throwing that out there.

 

I repeated the READ ME process on my personal account (with the exception of any online scans/activity; and all from Safe Mode). Here are the results.

CCleander
- Ran as directed

Ad-Aware
- 0 items found (actually, it did detect my "list of recently opened documents", but that was it)

SpyBot
- 0 items found
- All known bad products already blocked with Immunize function

MS AntiSpyware
- 1 item found (removed)
- Trojan.Proxy.Atiup (Trojan)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - ATI_VER, REG_DWORD, 0x4387d846 (1132976198)

CWShredder
- Scanned only
- 0 instances of CWS detected

Kill2Me
- No infection detected, "removed if it was present"


I will attach an HJT log as of this point from my personal account.

 

I noticed that this had been looked over and nothing had been done about it as of yet. Also, I checked out the file properties, and of note was this:

• Date Created: Tuesday, November 22, 2005, 7:39:37 AM

This was the time when everything started happening in the first place. I would bet the house that this file is not meant to be in that folder (all the other files are marked as Microsoft files, using all capital letters for their filenames; this "ibm00002.dll" is in lowercase).

Also, the O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll entry resurfaced as O20 - Winlogon Notify: msupdate - C:\WINDOWS\system32\msctl32.dll and has stayed that way since the first HJT "Fix" was performed, even through numerous restarts.

Hopefully, these observations help in solving my computer's troubles.

 

In the last post, I meant to say that through all of the HJT logs, O20 - Winlogon Notify: msupdate - C:\WINDOWS\system32\msctl32.dll has remained as the same filename (that the filename has not changed itself through the multiple restarts since it first appeared). The "ibm00002.dll" has also remained unchanged, so at least it seems that the infection is not mutating.

Still awaiting advice/help on this.

 

Yes, it would appear that the infection has mutated. We really need to get you back into Normal Mode, so that everything that may be present is visible. Something you can try before doing a repair install is sfc /scannow from the command prompt. This will replace any missing or corrupt Windows system files. You may have to update your windows after doing this, but you can do that after we eradict any viruses on your system.

 

Actually, it seemed to me that since none of the visible, and seemingly, bad files have changed, that the infection was NOT mutating. In any case, my aforementioned friend (the one helping me locally before) also suggested sfc /scannow, but it would not run in Safe Mode. He mentioned something about needing the RPC active, and needing my Windows Installation disc. Also, should either of the files I mentioned in the past few posts be deleted, or should we leave them be?

 

Use HijackThis to fix this line:
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll

Use Pocket Killbox to delete these files:
C:\WINDOWS\system32\msctl32.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

What else is inC:\Program Files\Common Files\Microsoft Shared\Web Folders?

I could be wrong, but I don't thick SFC requires RPC to work. If it won't run from Safe Mode try booting windows in Diagnotic Mode, by using MSConfig and selecting Diagnostic Startup then reboot; and run SFC from there. Yes you need your WIndows CD.

 

I've fixed the HJT item, and I'm about to use Pocket Killbox to delete those two files (unregister DLL and delete on reboot), and I'll be booting back into Safe Mode. In the folder in question are a lot of Microsoft signed DLLs (I can post more info later). See you after a reboot for Killbox.

 

Rebooted, and missed the keypress window to get into Safe Mode. I freaked out, but it booted into Normal Mode! So, I let it boot up fully, and logged into my account. I took a screenshot of that folder to show you its contents, and got a fresh HJT log for you.

 

I noticed that Windows Messenger is running. Do you really want this running?

You can uninstall ViewPoint by using Add or Remove programs.

Scan with HijackThis and fix the following:

OK, let's try some of the scans we couldn't do before.

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

I will deal with Windows Messenger after the main issues have been taken care of. I've already removed Viewpoint once, so I'm not sure why it's back, but I'll uninstall it again. Right now, I'm not at my computer, I've stopped at a lab while running errands. I'll run all of these scans when I get back to my computer and reconnect it to the Internet.

 

Okay, I'm having network problems with my laptop and my building, so my laptop is still unable to connect to the Internet for whatever reason. =/

I can run the other two scans and post logs for those, however. I'll do that and return momentarily.

 

Here are the logs from Qoologic and RKTOOL.


EDIT: Okay, it won't let me upload the log file from RKTOOL. It keeps saying that I already uploaded the file in this thread.

EDIT2: Oh! I forgot to run the RKTOOL in Safe Mode (I ran it in Normal Mode). Should I do that and try posting the file again, or should I forget it?

 

Run them in Normal Mode. Change the name of the RKTool log.

 

I did run them both in normal mode, the Qoologic log is attach to my previous post. I tried changing the name of the RKTOOLS log to log2.txt, and RKTOOLSlog.txt, and both attempts ended with the same error message.

 

Zip the file and post it.

[EDIT] Your Qoologic log looks fine.

 

Zipped RKTOOL log.

 

Tha't not showing anything we need to deal with.

Run WPFind again from Normal Mode and post that log.

 

Okay, here's the WPFind log. I'm beginning to wonder if the actual spyware is gone, but that it may have done some raping to my NIC or something related. I'll tried connecting another computer to my connection to troubleshoot that for the time being, when I find out whether or not it's spyware related, I'll let you know.