Malware Removal Win XP 32bit

Dear Major Geeks - thank you for all the information you provide to help with infection issues. My email address was hijacked yesterday and 47 people in my address book or from emails floating around the web or my server, received the hijacker's message that looked like it came from me. I even got one from me to myself. The subject line was read only "Fwd:" and the messages was a link. Several recipients contacted me right away asking about it. I advised them to delete the email and to not click the link. I dont think it is an ordinary phishing situation because I right clicked the message that was sent to me from my own email address and viewed Properties. Usually a plain phishing message reveals the senders actual email address. This one did not. It had no long message or codes but mainly the sender email was mine.

I have read all the steps from your forum page about Malware removal and have progressed to the point where I have unchecked the hidden file options and also I have run HJT and will attach my Startup Log to this thread. My virus protection is up to date and current - Microsoft Security Essentials. I also ran an updated version of Stinger - both found no infections but both scanned my system before I made the hidden file unchecks. I also ran the paid version of Malware Bytes which had not been installed until I had this problem. I reinstalled it and ran it. No issues were found. I will uniinstall this program after submitting this note so that I have only one installed security program per your request.

I contacted my host tech support - Host Gator - they provided a detailed page of data from their look into my problem. I do not understand everything their report shows but they advised that more than likely I have a trojan virus that is known to them. They recommended that I come here to MG forum and get started trying to dig it out. I hope you can help me do this and thank you in advance for all you do for so many. I will try to attach the HJT log now.

 

Thank you Tim. I have run all the programs and obtained the logs - attached to this reply. My problem may be different from the usual infection because I am trying to find a trojan virus or something on my machine that is related to my email being hijacked a few days ago - my server Host Gator said that the outgoing messages they viewed are "consistent" with kind of trojan virus somewhere on my machine. Anyway, this is all beyond me and I am attaching the logs in case you can see something that will help get rid of the problem. Thank you again for your help.

 

Sorry - forgot Malwarebytes log (attached)

 

Sorry I missed that - thanks again for your help.

 

Tim - thanks again for your help. I attached 3 RogueKiller reports because I wasnt sure why I ended up with 3 instead of 2 requested - maybe #3 was generated when I deleted the one file per instructions? #4 is log after reboot and re-run of RKiller.

My machine seems to be running with no issues. One thing that bothers me is that when I attempt to access my online bank acct, since the email hijacking, I get a warning message that the site I am trying to visit has an expired certificate (see attached screenshot) The warning suggests that my machine may have a virus. This is not why I started the thread here at MajorGeeks - I started the thread at the advice of my internet server Host Gator. I reported the email hijacking to them and they looked thru my outgoing messages and sent a complete report to me showing that 47 people from my address book were randomly sent the spam mail from me by the hijacker. As far as I Know the spam message contained a link only. At least that is the message I got since the hijacker sent it to me as well. One friend emailed to say he clicked the link and it was a webpage selling Rasberry drops - of course that might have been a virus infecting site - I dont know.

One other possible coincidence that is worth mentioning is that I have 2 external hard drives, F and G. I keep the F drive turned off because it is full with video and media files. It also has a downloads folder and a folder I created and copied old files from my previous computer which was infected. I am concerned that this F drive could be a hiding place for some infection and maybe even the one that is associated with my recent email hijacking. I turn that drive on occasionally when I want to retrieve a media file - interestingly, the email hijack may have occured when I recently had the F drive on. Unfortunately, none of the scans from this thread looked at the F drive. It seems the G drive, which is on all the time, was not scanned by any of the actions taken so far, either. Should we get some of these malware programs to look at those drives? Thanks again for your help - much appreciated.

 

Was long process but might have done something - thanks Tim. Long because of so many files, mostly video and media files. I have a log to show you. It shows 9 threats were found and quarantined by ESET - I saved the list to my desktop (attached) Then I selected uninstall ESET and Delete the quarantined files - which I hope means they are deleted off my system completely. I then rebooted.

I value your thoughts on these results.
Currently, when I reboot the pc Malwarebytes automatically scans something and shows a report. I have the pro version because I bought it several years ago. Should I uninstall it or Microsoft Security Essentials or leave either or both running on my machine? I have Stinger and CCleaner on my machine also - should I keep it or remove it? Also what should I do with the other malware programs that I have installed during this process?

Also I ran ESET from IE and after running it I was getting a popup in IE asking if I wanted to download an RKiller file from MajorGeeks and I did not understand that but the thing saved a log to my desktop (attached) It had some notes about things FOUND that I thought you should see but for some reason I cannot get the attachment to upload here at MG.

I appreciate your help very much - please advise what you think and whether I should do any other scans etc. Thanks very much.

 

Meant to add that I had not deleted emails until I saw you last comment. I had over 4000 messages saved in my inbox and almost 8000 in my sent box. I deleted all of them before running the ESET scan. I have many email folders filled with emails that I have saved - orders from online stores, taxes all kinds of contacts etc. Are these emails a threat?

 

Understood. I have no noticable issues on my computer and did not have any obvious issues leading up to my original post. I started this post because Host Gator advised me to come here to try and get my machine cleaned because someone hijacked my email last week. According to them the outgoing messages they looked at were consistent with some kind of trojan virus on board that was sending out spam mail using my email address. Other than that I have no issues. I did notice that I get that warning when I try to access my bank acc online - this started happening after the hijacking. I get that notice warning me to not proceed to my bank page because they say the security certificate has expired. That message never happened before. So I am concerned that the hijacker is watching my logins etc to access my online accounts. I value your thoughts and thank you very much for your help. How can I visit my online bank page without getting that security warning?

 

I have not had a chance to try that. I usually accessed the online account from a link I saved that took me directly to the login page. That is the link that gives me the warning message. If i go to the bank home page first and then login I do not get any warning message.

I just discovered another odd thing. I rarely login at facebook but did so this morning. I got a message from fb that my page was temporarily blocked because someone tried to login from an unexpected/unfamiliar location to fb. They gave me a "continue" button to resolve the issue. I followed it and they showed a map with an arrow in some place in NJ and asked if I approved that access. I said "no" and then fb allowed me to login. I am not sure it was related to the email hijack because I had not logged in at fb more months and the hijack happened a week or 2 ago. I had given google permission to update my fb page from youtube - this was a few weeks ago. Perhaps that was the NJ attempt to login at my fb page - I don't know.

Thanks very much for your help and time, Tim. I will copy the link to my login page at the online bank and try to use it from another computer when I get opportunity. Perhaps the local public library would be a good place to do it. Will let you know what I find one day this coming week when I can get to the library during their open hours.

 

Tim - I could not find the malware programs that I added to my desktop to uninstall them. They did not show up in Add/Remove Programs or in my start folder. Right clicking them on the desktop there was no uninstall option. However, when I ran MGClean.bat it removed all of them and itself, leaving only HitmanPro. I cannot find a way to remove HitmanPro.

I have not done anything else yet from your last instruction. Can you tell me how to get rid of HitmanPro? I will then proceed with your other instructions. Thanks again for your help. So far all is well.

 

Well Tim - it took me awhile to get thru all the tips and so far no further issues on my machine - thanks so much for your help. The only tip I have not acted on so far is changing to a different firewall than Win Security Essentials. Since I am keeping Win Security Essentials as my antivirus I thought to leave the firewall alone - it is enabled. Thank you again - very much appreciate your help. If you have any further suggestions I'll be happy to review them.

 

Tim - sorry to trouble you with this but sure hope you can help. I accidentally dragged a desktop calendar off the screen to the bottom side and cannot reach it with the mouse to drag it back to the viewable part of the desktop. How can I fix it? I have a lot of important dates and apptments on the calendar that I do not have recorded anywhere else and need the thing. Hope you can tell me what to do. Nevermind Tim - I found a way to get it back - I changed desktop settings to lower resolution temporarily and the calendar showed up - i moved it up and then changed settings back. Sorry to bother you. skip

 

Tim - not sure I have any issue but my computer has become slow when clicking around the internet. Is that the real time protection from Malwarebytes slowing me down? More a concern is that recently I am noticing Outlook Express is not saving all my email replies. For some reason it does not save replies to certain people. I have always had it set to automatically save replies. Any thoughts? skip

 

ok Tim - thx.

 

Tim - I do a lot of video processing and uploading to youtube and have found my machine running more slowly, especially when working on video files and even playing them back. I think I might have made some changes to the Malwarebytes settings and those changes have slowed everything down. Now I cannot even play a high quality video clip without it being pixelated and freezing after a couple seconds. When this happens, my whole pc is unresponsive until whatever is going on is finished. Do you think Malwarebytes real time protection is doing this? Is there any way I can keep it running but still have the ability to handle my video files? Right now I'm thinking about uninstalling Malwarebytes.