HKTL PROCKILL.A virus....HELP!

Are you sure it is a valid detetection? Is it by any chance detection some files from any HP equipment like below:

C:\Hp\bin\Terminator.exe

This is not a virus but Terminator.exe is part of HP's Backweb utility and is considered spyware. If this is what is being detected, you may want to read some discussion about it in the below link:

http://castlecops.com/print-1-141601.html

 

Ignore the HP stuff for now as it is really not TRUE malware. However you need to run our standard cleaning procedures so we can checkout your other malware issues.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You forgot to attach the log. Please attach it.

If you are getting an error message about bad checksum, just choose a different download server from the list.

You can also download updates manually. See: Spybot Search and Destroy Update May 16, 2006

You did not follow the directions in step 7 of the READ ME to install HJT properly and as a result are running it exactly how we request not to run it. You are using WinRAR to run it directly from the ZIP file. You must extract it from the ZIP file and put it into the requested folder. Please fix this now before continuing!

 

You have an old remnant service running from having Symantec Antivirus installed at some time. Let's fix this!

What I'm referring to can be seen in the below line in your HJT log:
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

To remove it requires special steps given below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Network Drivers Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SNDSrvc

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Common Files\Symantec Shared <-- the whole folder
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

There as a note in my previous message that said

Thus you were supposed to ignore the message and continue. Also I did not want you to reboot any way, so since it did not ask, that's fine.

Just complete the rest of the steps. The Symantec Service was not stopped, disabled and deleted in the last HJT log you attached.

The ability to Edit is normally only allowed for 5 minutes. Proof read before clicking submit!

Why did you tell CounterSpy to Ignore what it found? Run it again and let it fix the problems it found. Attach the new log!

 

Is CounterSpy the free trial version from the READ & RUN ME?

You can delete the file you quarantine with CounterSpy?

Your HJT log is clean now; however, you can have HJT fix the below lines to help speed things up. They are not required and just waste system resources:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Question: Do you use the below? I believe Zing.com is out of business.
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe


Are you having any malware problems?

 

It's good but personally if you are willing to purchase a program for this function, I like Spy Sweeper more.

Look for it in Add/Remove programs and uninstall it.

It's junk from Hewlett Packard that you probably do not need or want. See the below links:
http://www.bleepingcomputer.com/startups/autotbar.exe-439.html
http://www.bleepingcomputer.com/startups/AUTOTKIT.EXE-440.html

 

You're welcome.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!