Sony VAIO - Infected

Quite infected. This laptop belongs to a 40-something year old woman who "relies on her looks to get her through life, and to get men to fix things for her for free" (passed onto me from my step-mom, who is her friend). First thing, this laptop has FOUR users on it (Abbey, Carla, Maggie, Lindsey) and, of course, the "Administrator" account when booting into Safe Mode. I booted into Safe Mode and ran all of the offline scans (including CWShredder, Kill2Me, HSRemove, and About:Buster) on each of the user accounts. I ran the online scans from Administrator in Safe Mode with Networking. I ran HJT from the account "Abbey" in Normal Mode. I will post all requested logs as attachments.

A few notes: on the account "Carla", I could not install SpyBot. I would get an error near the end of the installation process, but installing from user "Abbey" went without any problems. Also, on account "Carla", CCleaner would encounter a run-time error when trying to close the program. Yet another problem, only encountered on account "Carla", the options to view hidden files and folders, file extensions, and system files would not stay applied no matter how I approached it. The settings would always revert immediately after closing the dialog box. Prior to scanning, IE would freak out (constantly refresh a page without actually loading it) when trying to open certain sites (Windows Update, CCleaner's update page). I haven't tried to visit these sites after scans. Lastly, there are two folders in "C:\WINDOWS\" labeled "system"; one seems valid, the other has only a hidden file "javaw.exe" and another folder named "system", which is empty.

 

Clear the Java Runtime Environment (JRE) cache:

• Click Start > Control Panel.
• Double-click the Java icon in the control panel.
  -The Java Control Panel appears.
• Click Settings under Temporary Internet Files.
  -The Temporary Files Settings dialog box appears.
• Click Delete Files.
  -The Delete Temporary Files dialog box appears.
  -There are three options on this window to clear the cache.
  • Delete Files
  • View Applications
  • View Applets
• Click OK on Delete Temporary Files window.
  -Note: This deletes all the Downloaded Applications and Applets from the cache.
• Click OK on Temporary Files Settings window.
• Close the Java Control Panel

Download
- Pocket Killbox

Follow the directions for Look2Me VX2 Removal.

Copy the contents of the below quote box to notepad and Save as FixReg.reg to your Desktop. Do not run the registry patch, we will do that latter in Safe Mode.

Close Notepad.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Locate FixReg.reg on your Desktop, double-click and answer 'Yes' when asked if you want to merge with the registry.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Here is the log from the Look2Me VX2 Removal procedure. I am continuing with the suggested procedures after that right now and will update you when I complete them.

 

Here is the fresh HJT log and some notes about the procedures.

- C:\WINDOWS\inf\biini.inf doesn't exist, but C:\WINDOWS\inf\biini.PNF does
- C:\WINDOWS\inf\fastvideoplayer.inf doesn't exist, but C:\WINDOWS\inf\fastvideoplayer.PNF does
- C:\WINDOWS\system32\cache32_rtneg2 seems to be a folder, not a file (deleted anyway)

As an additional note, some of your descriptions about the "Delete Temporary Files" dialog box from the Java Control Panel and the "Delete Temp Files" dialog box from Pocket Killbox differed from my software. Maybe the instructions are outdated, or maybe my software is, but I figured I'd throw it out there.

 

Go ahead and delete those.

The instructions are a little outdated.

Follow the directions for Using GetRunKey.

You have parts of Web-Nexus (Winsysnc) still hanging around, GetRunKeys should show me which registry key is responsible for respawning the infection.

Post runkey.txt when fininshed.

 

I deleted those files and ran GetRunKey, I'm attaching its log now.

 

It's really important that you complete the instructions I give you in a timely manner. Since it has been 2 weeks, post a fresh HijackThis log.

 

Sorry about the delay, the computer was being kept at a house that I do not live at, and I have experienced transportation troubles lately. Here is the HJT log you requested.

 

Download
- Pocket Killbox
- ExplorerXP

Windows Messeger is running in the background, and represents a security risk. Disable Windows Messenger by running Shoot The Messenger. If you are using this as your IM client then replace it with MSN Messenger.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Using GetRunKey, once again.

Post the runkey.txt and a fresh HijackThis log.