twink64.exe and systime.exe!!!! AAAAAAGH!

Welcome to MG's Boudewijnzen,

Our standard procedures require that you please follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

From you first post it appears like you may have done some of the steps in that thread but not all. Please follow all of the steps and then if you are still having a problem make sure you have HijackThis version 1.98.2 and you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or from a sub-folder of C:\Documents and Settings, or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

You are not using the current version of HijackThis. Please go back to the READ ME FIRST and get the proper version. Post a new log using it.

 

You should also take look in Add/Remove programs for anything saying Kontiki or MyWebSearch (or MyWeb or MySearch) and uninstall them.

Tell me if you find those while I look at your log.

 

Did you look in Control Panel, Add/Remove programs? It sounds like you went to Task Manager using CTRL-ALT-DEL.

If this next item is installed uninstall it too:
O4 - HKLM\..\Run: [Windows Accelerators ] c:\things\setup.exe

 

Make sure you have system restore disabled and viewing of hidden files enabled.


Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
C:\things\setup.exe
C:\WINDOWS\System32\systime.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\Kontiki\bin\kontiki.exe
C:\Documents and Settings\Mark Lambton\Application Data\peoi.exe
C:\WINDOWS\System32\t?skmgr.exe
C:\HijackThis.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

Do you recognize the www.keele.ac.uk URL on this next line? If not, fix it too otherwise skip it and continue.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.keele.ac.uk/nsproxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {48AF1470-B136-6BF2-8723-12550E867916} - C:\WINDOWS\System32\sjgrph.dll
O2 - BHO: (no name) - {58214779-B632-4421-8BEC-8C3561FD6287} - C:\WINDOWS\System32\cjod.dll (file missing)
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll (file missing)
O2 - BHO: ToolHelper - {AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\WINDOWS\DOWNLO~1\CONFLICT.2\toolbar.dll (file missing)
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll (file missing)
O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll
O4 - HKLM\..\Run: [Windows Accelerators ] c:\things\setup.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [Odua] C:\Documents and Settings\Mark Lambton\Application Data\peoi.exe
O4 - HKCU\..\Run: [Xwt] C:\WINDOWS\System32\t?skmgr.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: hallslogon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: MP3download (HKLM)
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/065d0d9270892e5dc923/netzip/RdxIE601.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {DD0470D4-A51B-4306-AC2C-7C160E33B4E7} - http://www.coolball.net/cxc/toolbar.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba10.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba10.exe


Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\MyWebSearch <-- the whole directory if it still exists
C:\Program Files\Kontik <-- the whole directory if it still exists
C:\Program Files\Win Comm <-- the whole directory
C:\Documents and Settings\Mark Lambton\Application Data\peoi.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\System32\twink64.exe
c:\things\setup.exe
C:\WINDOWS\System32\DLL.dll
C:\WINDOWS\System32\mtc2608.dll
C:\WINDOWS\System32\sjgrph.dll


We need to delete the below but it cannot be deleted using Windows Explorer as it will not even find it.
C:\WINDOWS\Downloaded Program Files\bridge.dll

So here is how we will delete it.
- Click Start, Run, and enter "cmd" without the quotes to open a command prompt window.
- Enter the follow commands exactly as written each followed by the enter key:
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s bridge.dll
del bridge.dll
exit

The last command will close the command prompt window.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.
I'm not sure what the below line is for. Do you know?
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t

 

Okay! Try using kill process tree on them. Otherwise just continue. But later when you boot in safe mode to delete files, if you run into a problem deleting anything. Bring up TaskManager and look for the processes and end them. Then try deleting again.

 

That looks a lot better but these two are still there. Did you miss them or did they come back?

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll (file missing)
O4 - Global Startup: hallslogon.exe

Perhaps we also need to look for and delete hallslogon.exe
You may have to search for it but set the Advanced options for search first.

Click Start, Search, All files and folders, enter the file name in the box provided, then click More advanced options and make sure you have checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
The click the Search button.


And I ask again, do you know what this next line is for?
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t

 

Thanks Kodo!

Boudewijnzen,

Thus we bus have HijackThis also fix:
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MP3download:t

Then boot in safe mode and delete:
C:\WINDOWS\System32\MSA64CHK.dll

 

You're welcome! I happy you that you recognized the hallslogon.exe as something you need before we deleted it.