Malware-infected portable

I got a call from my cousin asking if I could take a look at his Dell laptop, and...ugh. With the computer disconnected from the network, it slows within minutes after boot to such a crawl that it takes literally minutes to drop-down a menu. (Connected to the Net, or booted in Safe Mode, the machine is acceptable.) The major symptoms are pop-ups warning about Malware.

I attempted to install various anti-malware tools, but I'm not certain any of them properly installed, and it won't allow me to update any of them anyway either with nameserver lockouts or registry warnings ("Contact your ssystem administrator..."); it's also locking me out of using various tools (regedit, Task Manager, etc.), although the registry entries can be temporarily removed in Safe Mode.

I'm certain this seems worse to me than it does to the assemblage here, but it's clear I can't handle this with the usual tools (AVG, Spybot, etc., etc.), so I respectfully enclose a HiJackThis logfile (I think I renamed the executable incorrectly to analyZe.exe, but that should be ok, yes?), and thank you all in advance for any advice.

 

I wouldn't dream of running a browser (or anything else) on that machine. I wouldn't connect it to the router if it weren't for the massive slowdown...so I can read this post on my desk machine while performing the steps on his laptop. Am using a thumb drive to transfer between the two. Should also note I created a copy of the Ultimate Boot Disk/Windows using his Dell XP startup disc, just in the event of a major emergency.

Uh-oh...I can't find this one on this scan. Performed the other removals. After clicking Fix, I received five dialog boxes telling me Reg editing has been disabled by my admin, along with a boatload of Spybot TeaTimer dialog boxes. I turned off SPS&D, re-scanned, deleted the entries that still existed, then scanned again and they are, indeed, gone. (*whew*)

Done.

Copied to flash drive. (Yeah, too much information, but I want you to know anything I do outside the specific instructions just in case.) At reboot, an attempt was made to change the shell (that printer.exe deleted above)...denied in SS&D.

Done; SS&D immediately requested a startup change, which I allowed. At restart, it tried to change the shell again, denied, and delete the Avenger .bat file startup entry, which I allowed.

Will do. While I work on that, I'm attaching the log files from fixwareout and avenger here.

EDIT: Control Panels, regedit, and I assume others are again being disallowed. (*sigh*) One step forward, two back...

 

(*sigh*) Ran into a snag. To properly follow those directions, I wanted to remove all of the existing anti-malware apps and install only those mentioned with the exact settings listed (i.e. no TeaTimer). But I can't run Add/Remove programs - "contact your admin, policy violation, yadda yadda."

I can use HiJackThis to get to RegEdit (clearly the malware is replacing the DisableRegedit entries, but I can keep working around that)...is there is registry setting I can manually edit to get Add/Remove Control Panel access back?

Thank you for your help and patience.

 

Yes, but I also mentioned every time I want to run RegEdit I need to re-scan and again delete the entries (the b*stard seems to be replacing it), and that fix does not seem to affect access to control panels, which I can't access (TIA, I can access some of them, but even something as simple as Sound seems to be on the "policy" list.)

At any rate, after the holiday with a good night's sleep, I removed what I could through their own uninstallers, turned off/disabled what I couldn't, and followed through on the instructions listed on the READ & RUN ME FIRST page. I also want to note outside the testing routine I have noticed a process "Sample" that needs to be force-quit on reboot from Safe Mode - no idea if it means anything, just an observation.

Followed procedures in the READ & RUN ME FIRST page as closely as possible, with the exception of using a "clean" computer to download the programs to a freshly-formatted flash drive and installing them to the infected machine from there...updates were performed as normal through an Internet connection. I did not get a CounterSpy log at the time, as the Safe Mode version doesn't have the "View" menu. I did not initially install the latest JRE, as in Safe Mode I was policy-denied (possibly the spyware or just Safe Mode, dunno) and the BitDefender online-scan failed; between running Spybot/Counterspy it was necessary to reboot into normal mode to install the latest JRE...when I did that, Windows installed some updates. Rebooted back to Safe Mode and attempted to run BitDefender online scan again, with no joy. Rebooted into normal mode and ran BitDefender online scan...the ActiveX control loaded, but it could not update the viral definitions. I tried a second time, with the same failure, then just told it to scan anyway. When finished, warned me the computer was still infected (also forgot to change Save As... type to text; apologies for the goof).

Switch to Panda...I could not resolve pandasoftware.com on the infected machine, while I could on other machines on the network. I used pandasecurity.com to get there, then clicked for the free online scan, and...it failed to resolve. The problem here is clearly something in this machine (other machines using the same nameservers can easily get to pandasoftware.com, and the infected machine can get to pandasecurity.com - maybe hosts file, didn't check).

So I went on to GetRunKey/ShowNew. (*sigh*) The thing clearly reset the RegEdit policy entries again (lots of policy dialogs), so I closed-out of GetRunKey and ran HiJackThis to remove those two d*mned policy entries, then immediately ran the two bat files. Ran HiJackThis to get a new log file, then copied the logs to the flash drive and immediately shut down the computer (Windows again installed updates, six of 'em this time. Really MS, or the malware?).

Anyhow, this and next post(s) contain the log files, and I again thank everyone for their help and patience.



NOTE: Something here (either Spybot or Counterspy) did something effective, at least; I'm no longer getting the "anti-spyware" dialog box and notification. I'll cheerfully accept any progress, you know?

 

Just more logs.

 

Well, that was fun. I might have mentioned I can't run most control panels...after manually deleting various entries in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

...I was able to get to Add/Remove by the back-door ("Set Program Access"); I'm going to need to eventually figure out how to straighten that mess out. But anyway...

Removed Viewpoint (Used: Frequently, I don't think I want to know). Fixed the entries in HiJackThis (keep killing the things, they keep coming back). Transfered fixme.reg via flash drive, merged. Transfered delete files, input into avenger.

Logs requested attached, along with my continued thanks.

 

Final requested log.

 

Will do; also uninstalling all anti-malware programs and reinstalling those suggested on the How to Protect yourself from malware! page.

A note about cleaning up some residual problems:

• HOSTS file
  When I looked at the C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file, I could see why I had so much trouble with the anti-mal software; the malware clearly added most of the sites to the file keeping them from loading/installing/updating. Manually edited to allow the Spybot-added section while removing the other crud.
  
• Dial-A-Fix
  This is cool, and you might consider adding it to your suggested toolbox. It solved a number of nagging problems, including not being able to use search ("A file that is required to run search companion cannot be found..."), not being able to view the Windows Update website, etc. It automagically unregisters and re-registers the components selected. Probably shouldn't be run by someone unfamiliar with the innards of Windows, but under the guidance of experts like yourselves, may be a solid tool for post-cleaning issues.

I am not only going to place a shortcut to this page on his desktop (I considered making it his home page, but changing that would be rude), I am also going to print out a copy and include it in the computer case.

Please accept my sincere gratitude for all of your help!