Help! Infected and can't run HijackThis, Spybot, etc...

Okay so I'm not sure how this happened but it appears that my PC has been infected by something. I run PC-cillin and it's always up to date for everything. At any rate, I keep getting messages from an icon in my system tray "Your computer is infected! Windows has detected spyware infection" which I'm sure is part of the infection.

I've tried to run Spybot, Ad-Aware, Hijack, etc. as I've read in other posts but nothing works. About the only thing I've been able to run is MGtools and come up with the attached logs. Any help someone can give is appreciated.

 

Hi swpenny,
Welcome to Major Geeks!

Your computer is infected. I would like for you to do the following:

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) After disabling teatimer, please go to the Windows XP Cleaning Procedure and download and run Combofix. Then run SuperAntiSpyware and attach the logs of these two scans.

If you are not able to run the above two scans, please tell me and I will give you another set of instructions.

If you are able to run them, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Thanks.
abri

 

Thanks for the help abri!

Actually just before I got your reply I decided to uninstall Spybot altogether and try a different approach. I found another thread that talked about SuperAntiSpyware and tried that. It appears to have cleaned things up but I'm not positive that I've fixed everything. So just in case, I've attached a HijackThis log for viewing. Let me know if there is something else I should remove / clean / avoid / etc.

Thx!
swp

 

Hi swpenny,

HijackThis looks for very specific things and is useful for certain things, but we don't use it exclusively because it doesn't give us the information we need to see if your computer is clean of files related to malware. Please continue with the instructions in post 2 which I will repost here:

After disabling teatimer, please go to the Windows XP Cleaning Procedure and download and run Combofix and the MGTools. (you don't need to rerun SuperAntiSpyware since you already ran it)

When you finish the above, please post the MGlogs.zip and the log from Combofix.

Thanks.
abri

 

Okay got it. Here are the logs from Combofix and MGtools. Hope I've done this properly. Let me know if you need anything else.

swp

 

Hi swpenny,

Please do the following:

1) Begin by disabling your guest account if this has not already been done.

2) Next, please scan the following file(s) at either jotti or VirusTotal or and let me know the results.

C:\onhtp.exe


3) Go to add/remove programs and uninstall the below:

- J2SE Runtime Environment 5.0 Update 6

4) Reboot after uninstalling the above.

5) Install the current version of Sun Java from: Sun Java Runtime Environment

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

7) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After you click fix, just close hijackthis.


8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

abri

I ran all the procedures you said and there doesn't appear to be any problems with how things are running now but I've attached the logs you requested. Let me know if I should be doing something else too.

Thanks.
swp

 

Hi swpenny,

Please run Avenger as you did in post 6, step 8 only this time use the contents of this box:

After you finish with Avenger, then run ATF Cleaner again.

Attach the Avenger log with your next post.
Thanks.
abri

 

Hi abri,

Here is the latest Avenger log.

swp

 

Hi swpenny,
That looks good. Please go ahead with the final cleanup instructions in the box below:

abri

 

abri,

Everything is running great now and I've taken the recommendations listed in the how to protect yourself message.

Thanks again for all the help!

swp

 

You're welcome
Happy surfing!