Still problems after Smitfiles.txt

First of all, I want to say thank you for the amazing amount of information that is available on this site. I know I would not be back as functional as I am without the help I have already gotten from reading the 'Sticky' posts that are here.

That said, I am still experiencing a few problems, but I can see the light at the end of the tunnel.

I know I had SpySheriff and Raze something or other.. I have run Spybot more times than I can count (I already had it prior to following your instructions) and I have deleted / fixed a lot of issues. At the worst point, I could not access the internet without multiple emails spawning and tieing up my computer. This made it difficult to download and run all of the programs that you suggested in READ and RUN ME FIRST.

So here I am. After following the instructions under SpywareStrike, Smitfraud, SpySheriff, SpyaAxe & PSGuard REmoval I ran the smitRem.exe file and I think it got most of the issues. I am now just experiencing the following (that I know of).

1. When I boot up a command window appears that is called netsh.exe. This was also happening when I was having the problems I described earlier. I thought it was a major source of the problem, as it seems to do other things to my computer.
2. I get a message that it can't find a file: ibm00011.exe
3. I get a message that rspcc.com needs to terminate.
4. Task manager is still disabled.

The last thing I did was run the Panda Scan and it says I still have a lot of problems. I guess at this point I'm asking for your help in solving this issue! I'm attaching my Hijackthis file, my Smitfile and my PandaScan.

I hope I did things correctly so that you can help me and not get frustrated!
My pc is an Intel Celeron 2.4 GHz with 512MB and 80G hardrive. I'm running Windows XP Home Edition SP2.

Thanks again for all of this information!

 

I know the request for these is coming, so I thought I would beat you to it!

 

You have not installed Shownew or RunKeys correctly, download and extract each one to a seperate folder. DO NOT run the batch files from the zip.

Please do this now and upload new logs.

 

unfortunately, I have bigger problems that that (by the way, I DID unzip and put them in a separate file. I did not run them from Winzip).

Now, when I reboot my machine I get the error 'Services and Controller app has encountered a problem and needs to close. We are sorry for the inconvenience.' It asks me to send me error report or not. When I click Don't Send, it disappears and I get the error "System process c:\windows\system32\services.exe terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

Also, my spawning emails are back. ARGH!

 

ok.. I rebooted in Safe Mode and reran. Here are the files. My machine was working fairly normally this morning, but now I'm worse off than ever... Any help is greatly appreciated!!

 

DO you have a firewall installed ?

If not download ZA free now and install it.

DOwnload the zip file attached to this post and extract both files to the same folder

run the getdetails.bat file (NOT the exe) and post the log created in c:\getdetails001.txt

 

here's the file. I do have a firewall - I believe it's included with Norton Internet Security, right? I also have a firewall built into my wireless router.

I can't access the internet to download anything at the moment. I am accessing the forum via a laptop and I'm transferring files back and forth with a thumb drive. Lots of fun! THanks for your help!

 

Did you run it in safe mode ?, are you able to boot to normal mode at all or do you have the issue the whole time

if possible boot into normal mode and rerun the bat file. if not let me know and we will ocntinue from safe mode

 

yes, I ran it in safe mode... I will try booting normally again and let you know

 

if you get the shutting down message again, try going to Start -> run and typing in 'shutdown -a' (without quotes) and see if that stops the countdown.

 

ok, I got the same error messages this time, but I was able to run the bat file before it shut itself down. Here it is...
doesn't look like much judging by the size of it

 

ok.. I will try that and post it again if it works..

 

OK not to worry, there seems to be a small bug in the exe I will have to find and fix.

We need to fix this issue before we continue.

Reboot to normal mode.

When it starts counting down again goto start --> run

type in 'shutdown -a' (no quotes) and hit enter

This should abort the shutdown.


Do you have any HP hardware ? or is this computer an acer laptop ?

Goto Start -> run and type in:

regsvr32 MSXML3.dll

and hit enter then reboot.

 

ok.. somehow this time I managed to stay in normal mode (not sure what I did differently) but when I run the bat file it says Run-time error '5': Invalid procedure call or argument

 

ok.. ran the regsvr32 and I am rebooting now.. normal mode?

 

sorry I didn't answer your question before - no HP hardware.. all Dell and it's not a laptop

ok.. after reboot it looks better... I still get the ibm00011.exe error and I'm afraid to try and do anything else..

 

Yes.

You didn't answer my question. do you have any hp hardware ? Printer, Scanner ? This error is often associated with hp hardware drivers.

 

ok lets try starting the fix then!

The installed version of Java on this compter is out-dated.
Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp.
Uninstall all older versions of Java on your computer, before installing the latest version of Java.

Download - Pocket KillBox

Extract to its own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.



Run HijackThis. Click the 'Do a system scan only' button.

Click 'Config'

Click 'Misc Tools'

Click 'Open Process Manager'

Select the following processes (if found) and click kill proccess

Click 'Yes' to confirm you want to kill the proccess.

Click 'Back' to return to the scan results

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

When searching for the file request ensure you have enabled viewing of hidden files and folders and have enable the search to search in protected system folders and hidden folders.

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

ok.. I successfully uninstalled the Java I had and I reinstalled the new version. I downloaded Killbox.

I followed your instruction for Hijackthis with the following results.
1. I didn't see any of the programs running that you listed when I went into process manager.
2. I didn't find the entry O4 - HKLM\..\Run: [loaddr] C:\WINDOWS\s.exe so I couldn't fix it.
3. When I clicked 'Fix checked' it gave me the following error:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=020 Error #5 - Invalid procedure call or argument
it then goes on to say I should emial the report to merijn@spywareinfo.com, etc.

I decided to go ahead and try and run the PocketKillbox piece, but I'm not sure I understand what you want me to do here.
When I go to Tools, Delete Temp Files, do you want me to select 'Delete Selected Temp Files' before I close the window (I assume the red X you want me to click on is the close window x? there isn't another RedX)

Guess that's where I'm at!

 

OK I am not sure what the error is could you post the exact error message so I can contact the author.

Let try to narrow it down.

Redo the entire procedure as I specified, but this time select the lines in hjt 1 at a time in hjt and click fix.


Do the following for the killbox deleting temp files part:

Run Killbox

Choose Tools -> delete temp files

Click delete selected temp files

Close the dialog so you are back at the main window

Then follow the rest of the prcedure as written.

 

ok.. I went back in to HJT and redid the scan. THe only file left is the O20 - Winlogon Notify: obbf115 - C:\WINDOWS\SYSTEM32\obbf115.dll

THis time when I select it and fix it is asks me if I'm sure I want to fix it and I say yes it goes to a blank screen. When I Scan again it's still there?

working on the killbox part now

 

ok.. well, I thought all was getting better, but..

I finished everything you mentioned. Rebooted into normal mode and ran HJT (file attached). I then tried to access the internet to post everything and my emails started spawning again and I got a message that said something about cpcc.exe?? I closed the window in frustration before I made sure to grab what it said...

sorry..

thanks for your help! now what?

 

ahh.. happened again... the message is a

Microsoft Visual C++ Runtime LIbrary Error
Runtime Error!
PRogram: c:\program files\common files\symantec shared\ccApp.exe
R6025
-pure virtual function call

 

Odd.

Symantec say this :

http://service1.symantec.com/SUPPOR...3f2318e9ebdfaed888256cd900802c41?OpenDocument

 

ok.. that doesn't make any sense... I've never had CompuServe on this machine.. it's pretty new! It seems like maybe it has something to do with the spawning of all these emails... I get several Symantec windows on my machine that say 'sending 1 of 1'... when I disconnect my internet connection I get messages from symantec telling me it was unable to send emails and the addresses are FUNKY addresses that I don't recognize...

should I try all that it says or do you have any other ideas? Thanks a lot for your help!

 

ok don't bother with what symantec say for the moment, we need to work out whats sending the mails.

You need to set your symantec firewall to block whatever process is sending the emails, it is more than likely some worm that is trying to propogate by emailing itself all over the place.

 

ok.. how do I do that?

 

I don't know i've never used a symantec product.

DOes whatever symantec product you have actually have a firewall ? ?

 

should I just can Norton and use one of the free antivirus things you guys recommend? If I do that, I'll need that and a firewall and what else in addition to Ad-Aware SE and Spybot?

 

yes it has a firewall

 

I still think even if I do get rid Norton/Symantec that I still have a problem with the mass emailer...

 

also, task manager is still disabled

 

OK as you have a firewall, does it not alert you and ask you whether you would like to allow a program to access the internet the first time it goes online.

Give me a list of all programs configured for internet access or even dumpt the whole list and start again allowing only your browser for now.

DO NOT ALLOW OUTLOOK OR OUTLOOK EXPRESS INTERNET ACCESS.
It could be that the worm or whatever form of malware we are dealing with here is invoking outlook to send the email.

 

I just noticed something very serious in your log that you must address immediately!

IMPORTANT NOTE: You have been infected with a Password Stealing Trojan: Trojan.W32.Torpig

See this link for what you have: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/


You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

 

great... just what I need is to have my identity stolen. For now, I have turned the !&*#& pc off as I won't be able to get to this until later.

I did, however, go into Symantec's firewall and kill everything that has access.. I immediately got a message the rpcc.exe (my old friend) wanted to access the internet... seems like maybe it has something to do with it?

I can tell you, I'm feeling pretty discouraged by all this... level with me, am I better off to format the harddrive and start over?

next time by brother gets on my PC I'm gonna KILL him..

 

just another question.. are you saying this WinTasks is the only way to remove the Torpig?

I did a Spybot scan, An Adaware scan AND a Nortan Scan yesterday afternoon and they were all clean... how did they ALL miss this?

 

Sorry to be the bearer of bad news....

rpcc is malware. do not let it access the internet. It is a 'Downloader' it accesss the internet to donwload more malicious code and may have been what installed one of the other issues.

I know it is discouraging...

If you have no user files or other files of particular importance on your computer then formatting is indeed an option.

Before you do format i'd like to point out a couple of things (that I am sure you are already aware of.)

1: If your computer is part of a network then the infection may have spread to other computers. If you format the DO NOT reconnect it to the network until the other computers are clean. or at least if you do connect it to the network deny all access to it using a firewall.

2: If you have multiple partitions or drives then the infection may be present on them as well and could easily return to haunt you after formatting. This may not be the case but I feel I should mention it as it is possible.

3: one of the infections you have is as I mentioned a Trojan which allows remote access to your computer. The steps I asked you to do above are precautionary steps but I DO reccomend you take it seriously and do as I said. Do you use your computer for internet banking or other financial activities ? If so then you should ensure that you contact your bank and credit card companies urgently.

4: If you do format you will need all your original software cds (windows, office) etc with their serials and all your hardware drivers.

WE CAN probably fix this but it will take time and will probably involve several manual removal steps.

Bottom line is formatting will be quicker and probably less hassle but it can probably be fixed without doing that.

 

I don't think I have all the stuff I need to rebuild it, not to mention the massive amounts of pictures and other stuff on there that aren't backed up..

so what's our first step if we try and fix it?

 

Is your firewall working properly now ? Is it blocking everything from accessing the internet.

DO you have a second computer that is clean, on the internet and not connected to the infected machine ? and a way of transfering files ?

I think a new hjt log and runkeys and shownew would be an idea, as I htink something else has come in while we were doing something else.

 

well, I think my firewall is working.. it seems like that maybe one of these suckers does something to the Norton firewall that forces it to allow it? dunno..

yes, I have a second computer (what I've been using all along to post to this forum).. it's on the internet - connected to the same wireless router as the infected pc, but that's where their connectivity ends...I don't have a network.. I transfer files back and forth with a thumb drive.. I'll try and run the files you have requested and I'll post them soon.. thanks again for all your help!

 

OK we will leave symantec for now then but if it later it seems that it is compromised then we will have to install something else.

Once you have the logs, post them and we will go from there

 

here they are.. when I run the newfiles one I got several errors in a row saying that

ntvdm.exe has encountered a problem and needs to close... happens about 12 times before the text file is generated...

 

ok I can't see anything starting the rpcc process at startup however it it a running process.

Use HJT to terminate the process as described in my previous post and then attempt to manually delete the file using windows explorer:

C:\WINDOWS\system32\rpcc.exe

If you cannot delete it then reboot to safe mode and try the same procedure.

It may not be as simple as this but we should try the simple way first!

 

sorry, not quite sure I understand... use hjt to terminate which process? I don't see an entry for specifically this file (rpcc.exe)

 

Run HijackThis. Click the 'Do a system scan only' button.

Click 'Config'

Click 'Misc Tools'

Click 'Open Process Manager'

Select the following processes (if found) and click kill proccess

Click 'Yes' to confirm you want to kill the proccess.

Close Hijack this

Run pocket killbox

Tick the 'Delete on Reboot' option

Paste the following into the kill box.

click the red button to 'kill' the file

Click yes to reboot.

Reboot to safe mode and browse to c:\windows\system32 with explorer and manually confirm the file is deleted. if it isn't then delete it now.

 

ok, rpcc.exe isn't in my c:\windows\system32 directory anywhere... I did a system search and I found the following:

rpcc.exe-3B61445B.pf in c:\windows\prefetch

that's it

 

ok.. I did find it running with HJT, but when I open Killbox (or search with Explorer, it doesn't find it - except like in my previous post)

 

Did you terminate the process in HJT.

Have you enabled the viewing of hidden files and folders as per the instructions ? When you search did you tell it to search in hidden files and folders and in system folders

 

yes, I terminated the process in HJT. yes, I looked in hidden files and folders and I always have my machine setup to show all files and folders.. I can see dlls,ocxs, etc...

 

I bet if I reconnect to the internet it will rear it's ugly head again.. not gonna do it until you tell me...