ARgh!!! I'm about to smash my in-laws laptop

[Homerboy]

I've cleaned this thing 2 times in the past 2 weeks of spy/malware. I got an email, again today saying that he's infected with crap again.

I've used rkill.exe to kill off any porceses. Then run malwarebytes, avast, spybot etc until everything comes back clean.

Then I use his laptop at home for the night (general browsing etc) and I have no issues. Within 2 days he's emailing me saying he has pop-ups again. 3rd party programs installed (Windows Security Center being the latest, and Quick Defragmenter being the pervious).

He uses this laptop at work, and this time he has tracked what he has done: Bank website a few times, company website a couple of times and email from known recipients.

I want to format the whole damned thing at this point, but restoring it to a working order for work would be a major PIA too.

Any suggestions? Can I post a hijack log and let you guys peruse it? (I probably wont have the laptop until the weekend.

GD it. I hate being "tech support". I really really do.

 

[pcslookout]

I've cleaned this thing 2 times in the past 2 weeks of spy/malware. I got an email, again today saying that he's infected with crap again.

I've used rkill.exe to kill off any porceses. Then run malwarebytes, avast, spybot etc until everything comes back clean.

Then I use his laptop at home for the night (general browsing etc) and I have no issues. Within 2 days he's emailing me saying he has pop-ups again. 3rd party programs installed (Windows Security Center being the latest, and Quick Defragmenter being the pervious).

He uses this laptop at work, and this time he has tracked what he has done: Bank website a few times, company website a couple of times and email from known recipients.

I want to format the whole damned thing at this point, but restoring it to a working order for work would be a major PIA too.

Any suggestions? Can I post a hijack log and let you guys peruse it? (I probably wont have the laptop until the weekend.

GD it. I hate being "tech support". I really really do.

I stopped being tech support a long time ago. Setup the machine like they want then use DeepFreeze! Then again that may not work. Try making a limited account for them only then.

 

[Homerboy]

I stopped being tech support a long time ago. Setup the machine like they want then use DeepFreeze! Then again that may not work. Try making a limited account for them only then.

Oh I know. I'm not tech support for many people anymore. My mom and that's about it. In this case, its my father-in-law, and to make a long story short, I kind of have to be.

I'm not familiar with "DeepFreeze"...

 

[Modelworks]

Post the log and we can see if anything stands out.
I know how annoying it can be. I spent 3 hours yesterday trying to tell my niece how to type dos commands while in windows safe mode and her giggling the whole time because she thought it was funny all the commands she had to use. I hate spelling things to people over the phone.

 

[Homerboy]

Post the log and we can see if anything stands out.
I know how annoying it can be. I spent 3 hours yesterday trying to tell my niece how to type dos commands while in windows safe mode and her giggling the whole time because she thought it was funny all the commands she had to use. I hate spelling things to people over the phone.

Yeah I will once he gets me the laptop again. I just don't get WTF he has and/or is doing. I've had enough of it. I don't even car for the man. 🙂

 

[lxskllr]

Could he be using a infected flash drive every time, and reloading the viruses?

 

[Homerboy]

Could he be using a infected flash drive every time, and reloading the viruses?

I actually asked and confirmed that.
I'm running Malwarebytes right now.... already 11 things found
Hopefully I can get a hijack log before the nights over and I have to give t back to him.

 

[Homerboy]

Here's the hijack log.
I just did a full scan with Malwarebytes, it removed 11 items, rebooted, started browsing and was still being redirected all over the place.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:40:02 PM, on 11/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Honda TTS\HondaHelper.exe
C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\hahlers.BMT.000\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HondaHelper] C:\Program Files\Honda TTS\HondaHelper.exe
O4 - HKLM\..\Run: [Auto Run Software for Photo Frame] "C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Jnowukinemerokon] rundll32.exe  "C:\WINDOWS\VINKRSy.dll",Startup
O4 - HKCU\..\Run: [xrlib707iofile.exe] C:\Documents and Settings\hahlers.BMT.000\Application Data\194EEBE24CE0E82C6FEF6609725C3C25\xrlib707iofile.exe
O4 - HKCU\..\Run: [1060343] C:\DOCUME~1\HAHLER~1.000\LOCALS~1\Temp\1060343.exe
O4 - HKUS\S-1-5-18\..\Run: [msdrm] msdrm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msdrm] msdrm.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284498367937
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BMT.local
O17 - HKLM\Software\..\Telephony: DomainName = BMT.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BMT.local
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - C:\PROGRA~1\ACT\ACTFOR~1\Plugins\actlink.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MS PnP Service (MSPnPService) - ?????????? ?????????? - C:\WINDOWS\system32\mspnp4ef.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 15270 bytes

 

[lxskllr]

Check the hosts file for redirects. Nothing is jumping out at me for HijackThis log, but I'm not the best at reading them.

 

[balloonshark]

Do the experts use the HJT auto analyzers? If so which do they use?

I found these:

http://www.hijackthis.de/
http://hjt.networktechs.com/

OP, I'm only posting the above info to get you started. I would wait for a 2nd opinion before you make any changes.

 

[Homerboy]

(after the above log) I updated Malwarebytes before going to bed and it found an updated DB. Ran the scan overnight again and it found 11(?) items so I cleaned those out. Returned the laptop to him agian this morning as he "needs" it for work. Told him WHEN (not IF) it starts freaking out again, bring it back over the weekend when I have more time to go through it and hopefully somebody can help me translate the logs (I too don't see anything in the one I posted, but I'm not HiJack log reading expert).

 

[MadScientist]

HijackThis: I'd check this and click on Fix Checked.
O4 - HKCU\..\Run: [xrlib707iofile.exe] C:\Documents and Settings\hahlers.BMT.000\Application Data\194EEBE24CE0E82C6FEF6609725C3C25\xrlib707iofile.exe

http://www.prevx.com/filenames/1513376178941240621-X1/XRLIB707IOFILE[1].EXE.html

Set him up with a non-administrator account.
http://www.mechbgon.com/build/Limited.html

Also run TDSSKiller, and if still infected, as a last resort, Combofix. I personally have not had any problems using Combofix but read this first.
http://www.bleepingcomputer.com/forums/topic273628.html
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

About Combofix:
Combofix currently only works with Windows 2000/XP/Vista/Windows 7 (32-bit).
Although ComboFix will work on Windows 7, it is not officially supported so if it is run you will receive a warning message that it is a beta version meant for compatibility testing.

How to uninstall Combofix:
ComboFix is a stand alone program. It does not get installed and it does not run all the time. It creates a restore point, scans, deletes any files that it knows are bad, creates a report and a folder called C:\Qoobox, and then closes.
To uninstall Combofix in Windows XP and Win 7:
1. Click START then RUN, enter cmd and click OK to open a command prompt. For Win 7 click START, type cmd in the Search Programs and Files window and hit Enter.
2. If you downloaded Combofix to your desktop type cd Desktop at the command prompt and hit enter. If you downloaded it to another location substitute that for Desktop.
3. The prompt should change to show you are on your Desktop folder. Type combofix /uninstall (space between x and /) and hit the enter key which should run ComboFix's uninstaller. This will also delete the C:\Qoobox folder.

 

[Modelworks]

These are the ones I suspect
Anything that is using rundll32.exe to start and anything that starts from any directory other than program files or windows is always something to check.

HKCU\..\Run: [Jnowukinemerokon] rundll32.exe "C:\WINDOWS\VINKRSy.dll",Startup
HKCU\..\Run: [1060343] C:\DOCUME~1\HAHLER~1.000\LOCALS~1\Temp\1060343.exe
HKCU\..\Run: [xrlib707iofile.exe] C:\Documents and Settings\hahlers.BMT.000\Application Data\194EEBE24CE0E82C6FEF6609725C3C25\xrlib707iofile.exe

The other thing is use sigverif
Just type sigverif in run or command prompt
It will go through and check all the system files and list the ones that are not signed so you can decide if they belong.

Also use the loadord.exe program from the sysinternals suite to see what is loading on boot and in what order. It will show much more than just the startup stuff and can reveal things like rootkits loading.

 

[alkemyst]

modelworks I believe is right...those look VERY SUSPICIOUS.

 

[alkemyst]

key things when cleaning...wipe out all temp files...these will be in default user, user profile directories, windows dir, and root among others.

remove all restore points.

Install Microsoft Security Essentials if it's not already.

 

[mechBgon]

Here are some further tips in addition to setting up the Limited user account: http://www.mechbgon.com/security The Secunia checkup is vital, the bad guys have a field day with out-of-date Java, Reader, Flash, QuickTime and many other things you don't think to update routinely.


Last night I fixed someone's infected computer for the second time myself. I'd done it about 8 months ago, set them up with a Limited account and Microsoft Security Essentials. So I was curious to see what had happened. Three guesses.... yeah, they bumped their user account back up to an Administrator-level account. On WinXP, that's basically unbuckling the seatbelt and hoping for the best.

 

[pcslookout]

Here are some further tips in addition to setting up the Limited user account: http://www.mechbgon.com/security The Secunia checkup is vital, the bad guys have a field day with out-of-date Java, Reader, Flash, QuickTime and many other things you don't think to update routinely.


Last night I fixed someone's infected computer for the second time myself. I'd done it about 8 months ago, set them up with a Limited account and Microsoft Security Essentials. So I was curious to see what had happened. Three guesses.... yeah, they bumped their user account back up to an Administrator-level account. On WinXP, that's basically unbuckling the seatbelt and hoping for the best.

Nice! The unfortunate thing about Windows XP is your right they most likely did bump their account back up to Admin mainly because it is a pain in the butt to run as limited user in that OS. It is possible just not as convenient as Windows Vista and Windows 7.

I always wondered because for me it feels and seems like it. Does UAC slow down any pc a little ? Even if it is only a few seconds or even milliseconds I would love to know. In my personal opinion I think it does even if it may be only very little. Mainly when you go to install a program or game though. Of course it slows it down when opening a application that requires admin access always like True Image, Fraps, etc but that can't be helped unfortunately. I don't think you can make applications like True Image or even Fraps run without Admin access. Wish you could though. Would be be nice.

 

[MagnusTheBrewer]

For a "work" computer, he's got a lot of non work related crap on that machine.

 

[mechBgon]

Nice! The unfortunate thing about Windows XP is your right they most likely did bump their account back up to Admin mainly because it is a pain in the butt to run as limited user in that OS. It is possible just not as convenient as Windows Vista and Windows 7.

That's the truth. Their system's a Core 2 Duo with 2GB of RAM, so I suggested they upgrade it to Win7 if possible. The mom does medical transcription work remotely, and she said they required WinXP for their connection software, but that was a few years back, so maybe things have changed. They'd BETTER change, since WinXP is off the market now.

unfortunately. I don't think you can make applications like True Image or even Fraps run without Admin access. Wish you could though. Would be be nice.

In that situation, if you happen to have XP Pro or XP MCE, you can create a RunAs shortcut that elevates that specific program to Admin level. It's pretty easy:

1. make a shortcut to the program, right-click the shortcut and choose Properties.

2. add runas /user:name of admin account /savecred in front of the stuff in the Target box.

3. Change the Start In box to a location your non-Admin account has access to, like C:\Documents and Settings\your non-admin account's folder

4. you may also want to change the icon for the shortcut by right-clicking it, choosing Properties, and using the Change Icon button.


One gotcha is that the program that's being run as Admin will see the file system from the point of view of the Admin account. So to it, the My Documents folder and the Desktop folder are the Admin's My Documents and Desktop folder, for example.

Also, this will only work if the alternate account has a password. Blank password = no RunAs. WinXP Home can do RunAs but doesn't have the /Savecred option, so you'd have to enter the password every time.

It's a bit of a hassle, but if the alternative is to spend six hours peeling malware off the system... yeah.

 

[pcslookout]

That's the truth. Their system's a Core 2 Duo with 2GB of RAM, so I suggested they upgrade it to Win7 if possible. The mom does medical transcription work remotely, and she said they required WinXP for their connection software, but that was a few years back, so maybe things have changed. They'd BETTER change, since WinXP is off the market now.



In that situation, if you happen to have XP Pro or XP MCE, you can create a RunAs shortcut that elevates that specific program to Admin level. It's pretty easy:

1. make a shortcut to the program, right-click the shortcut and choose Properties.

2. add runas /user:name of admin account /savecred in front of the stuff in the Target box.

3. Change the Start In box to a location your non-Admin account has access to, like C:\Documents and Settings\your non-admin account's folder

4. you may also want to change the icon for the shortcut by right-clicking it, choosing Properties, and using the Change Icon button.


One gotcha is that the program that's being run as Admin will see the file system from the point of view of the Admin account. So to it, the My Documents folder and the Desktop folder are the Admin's My Documents and Desktop folder, for example.

Also, this will only work if the alternate account has a password. Blank password = no RunAs. WinXP Home can do RunAs but doesn't have the /Savecred option, so you'd have to enter the password every time.

It's a bit of a hassle, but if the alternative is to spend six hours peeling malware off the system... yeah.

Yeah they better upgrade! Windows XP may still be around but it is a ancient OS and just like Windows 2000 had its time to shine! Much longer even!

Not sure if you forgot or not sure but do you know the answer to my second question ? That or what is your observation in your opinion ? You may not actually have any Windows XP machines to compare to that don't have UAC. Only way to force someone to not have UAC lol.

Nice! The unfortunate thing about Windows XP is your right they most likely did bump their account back up to Admin mainly because it is a pain in the butt to run as limited user in that OS. It is possible just not as convenient as Windows Vista and Windows 7.

I always wondered because for me it feels and seems like it. Does UAC slow down any pc a little ? Even if it is only a few seconds or even milliseconds I would love to know. In my personal opinion I think it does even if it may be only very little. Mainly when you go to install a program or game though. Of course it slows it down when opening a application that requires admin access always like True Image, Fraps, etc but that can't be helped unfortunately. I don't think you can make applications like True Image or even Fraps run without Admin access. Wish you could though. Would be be nice.

 

[mechBgon]

Regarding whether UAC affects response time, I have no data on that.

 

[pcslookout]

Regarding whether UAC affects response time, I have no data on that.

Ok thanks. You must not have any computers around with Windows XP anymore. Researched this issue before but no tested benchmarks. It is a little difficult to say and it is not really important enough of an issue to care.

 

[Karellan]

I would start by disabling restore points before cleaning. I also notice that both Avast and McAfee appear to be installed, possibly something from Symantec as well. If I am repeating sorry, I have just glanced at this. Also, I would disable Messenger. It will always pop-up messages you do not want.

 

[StormSide]

Try Hitman Pro -- http://www.surfright.nl/en/hitmanpro

Force Breach Mode - Like Rkill -

http://hitmanpro.wordpress.com/2010/03/16/hitman-pro-in-force-breach-mode/

 

[RebateMonger]

I HATE malware removal. It takes way too much time and the success rate is too low nowadays.

Once you get this PC fixed, tell them you are out of the malware repair business. Teach them how to make image backups of their PCs and help them order a disk to hold backups. The cost for a suitable external disk can be as low as $50 and will save their data some day, as well as save you tons of time and frustration in the future.