Still problems after Smitfiles.txt

Please goto Add/Remove programs and uninstall the below two programs
Notification Utility
Viewpoint Media Player

Then attach a new log from ShowNew and a new HJT log.

Tell me what problems you are still having.

 

Okay that's good!

I'll be giving you another fix to run in a few minutes! I just finishing it off now.

No! You don't need it, but you should check everything out with financial institutions to be safe. I will be giving you another file to delete related to this trojan too.

 

Okay you have more left than I thought.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Microsoft ASPI Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

aspi113210

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down while running the below fix

Now please run this WareOut Removal and attach the c:\fixwareout\report.txt when finished with all of the below steps (I will remind you at the end).


Now run HijackThis again and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O20 - Winlogon Notify: obbf115 - obbf115.dll (file missing)
After clicking Fix, exit HJT.:


Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot into safe mode and use Windows Explorer to delete the below:
C:\Program Files\License_Manager <--- the whole folder
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00012.dll

Now reboot into normal mode and attach new logs from:
- GetRunKey
- ShowNew
- HijackThis
- c:\fixwareout\report.txt

You will need to post logs in two messages since only 3 can be attach in one message and there are 4 logs to attach.

Tell me how everything is working now!

 

Okay! Just skip the WareOut procedure and continue on to the rest.

 

It looks like you did not fix some of the items I asked you to fix. Did you forget the to fix the below in HijackThis?
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Run HijackThis select the below lines and do not click fix until ALL browser windows are closed:

O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB2D36A3-51B8-4249-9875-1CF0B2E4F32A}: NameServer = 85.255.116.102,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.102 85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.102 85.255.112.199

Now Look for the below fiolder and tell me if it exists!!!! Delete it if it does exist:
C:\Program Files\License_Manager

Now connect your cable to the internet and then try to run FixWareOut!

Also run: Sophos Anti-Rootkit 1.0 and attach a log from it.

 

Okay let's fix this one a different way.

Run this to remove it: Disable/Remove Windows Messenger

I have to take a deeper look at the Sophos Rootkit report. Can you get me a real log from the lower window that reports their recommendations on what to fix and not to fix. It should look more like the below (note this is an example and it is not for your problems. It just shows more of what I'm looking for.)

Also I would like a second report from the below new tool:

AVG Anti-Rootkit 1.0.0.13 Beta

 

It has been there all along. That is why we are running the rootkit tools so we can get more infor on it.

But you did not attach a log from the AVG Rootkit tool. Please attach it.

I'm not sure right now. You seem to have a different form of this rpcc.exe file that is using a rootkit to hide things. Previous ones that I have had to remove, were not using a rootkit and were simple to remove. We just stopped it from loading at startup and delete the file and that was it. It was gone at that point.

I keep seeing the below in your HJT log.
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

From now on make sure you do not have any command prompt windows (cmd.exe) open and also make sure no browsers are running any time you use HJT.


Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\system32\rpcc.exe

If it comes back right away don't worry about it, just continue.

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [rpcc] rpcc.exe

After clicking Fix, exit HJT.


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\rpcc.exe

If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

After reboot double check for the below file and delete it if found:
C:\WINDOWS\system32\rpcc.exe

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from Sophos Anti Rootkit.

Make sure you tell me how things are working now!

 

Windows Search will not show hidden files or system files by default so unless you configure like in the below link, it would be a waste of time.

Searching for Hidden Files on WinXP

In addition, if the file is super hidden (like a rootkit can do), even the above will not show it.

Run HijackThis and fix the below line now:

O4 - HKLM\..\Run: [rpcc] rpcc.exe

Exit HJT and reboot into safe mode.

In safe mode, use Windows Explorer to delete the below files (make sure you have configure to view hidden and system files as in the READ & RUN ME step 2)

C:\511c8624-6674-45a9-aa63-2b36766a5d30.cab
C:\WINDOWS\system32\svchk.exe
C:\WINDOWS\system32\ws386.ini
C:\WINDOWS\system32\rpcc.exe <--- let's just double check again!


Now reboot into normal mode and attach new logs from HJT and ShowNew.

How are things running now?

 

You can delete that whole backup folder for Killbox now.

It is something totally different than Torpig. It actually has appeared in about 5 different forms. Only time will tell if it is really gone. Last time either something that you still had on your PC or someplace you surfed put it back on your PC after it was removed.

You're welcome. Yes I have a real job! I just don't sleep.


If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome.

Privately via Paypal!

Well congrats Mom! How old are they?