Request for help on infection win xp t2

Hi and Welcome

Yes next course of action is to follow the below and attach all the logs requested.



Our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You need to attach all the logs requested! You are missing some of the logs. Note that ALL steps in the READ ME must be run in the order written. Obtaining the logs in the wrong order will result in incorrect removal procedures being created which is a waste of our time and yours.

The logs requested are:

• CounterSpy
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

You only attached

• CounterSpy
• Panda Scan - from step 6
• newfiles.txt - there is no reason to rename it to shownew.txt

And while you ran CounterSpy, you told it to ignore what it found rather than fixing it. You must Quarantine or delete what is found otherwise there is no sense in running the scans. Re-run it, fix what is found and save a new log.

Thus you need to attach:

• CounterSpy - a new log after fixing
• Bitdefender - from step 6
• runkeys.txt - the log from GetRunKey.bat
• HijackThis

 

GetRunKey does not have any popups asking you to click anything. So if you are getting any, it would have to be coming from your security programs (like a firewall or an antivirus). It is strange that you don't have the same issue with ShowNew. Does the message say more than "access denied"?

Please click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window, enter the below commands.

cd "C:\Documents and Settings\paul lcf\My Documents\apps\hijackthis\"
getrunkey.bat

What messages do you see in the command prompt window? If you see any error messages check to see if it is one of the ones mentioned on the download page for GetRunKey.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to winipcon
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pastewinipcon into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot if it tells you it needs to.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_03
Mozilla Firefox (1.5.0.10)
My Way Search Assistant <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now look for the below file and delete it if found (it is more than likely already gone):
C:\WINDOWS\system32\ipcon.exe

Now attach new logs from ShowNew and HJT.

How are things working?

 

Please don't use such hard to read colors!!

I'm not sure what you mean! This next line:

C:\runkeys.txt\*, Are you sure <Y/N>?

will not popup due to running GetRunKey.bat. Yes the c:\runkeys.txt file is what GetRunKey.bat is trying to create. But it you are getting a message about are you sure, it is not from GetRunKey.bat. Perhaps your antivirus or antispyware program is questioning whether you want to run the script. Just say yes!

No! Because we are not looking at all of your registry. We are only looking at a very small sample of registry keys often used by malware.

It was an unknown Trojan service. Possibly related to a password stealing trojan.



Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!