Sons PC infected- hopefully clean now

Windows 7
x64
This is my 13 year olds pc. No clue when the problems started. I know he recently got infected by a keylogger through an email but based on all the problems, it appears he's had issues for a very long time. His own email account was hijacked and sent keylogger to all his contacts. Yes we changed his password on a seperate machine.

1. this is fixed was that when you used the windows key and typed anything into run or find, it came up completely blank.

2. He supposedly does not sign on using the admin account but I only signed on as admin. In the admin account priveleges weren't working. I didn't have access to all the pc. I had issues saving the downloads to c: and there isn't a c:\desktop. I would save them to the admins file and then copied them to c: and then sent to desktop as needed.

3. I could not install a new version of google chrome. Would get errors that "your preferences can not be read", probably related to security issues from 2.. I have not tried again. I want to ensure the pc is completely clean first.

4. I have not signed into the user account he uses. I only ran all this as administrator. Please note that I did not originally follow the sticky and listened to someone else first so I had downloaded all the files and ran them errorneously and still had issues. Only then did I follow the words that I know to work of majorgeeks. So I may have other log files if they saved that are earlier attached.

Thank you for helping. Please let me know if there's anything else he should do other than the system restore and enabling UAC again. I'll do those 2. Of course he's got to learn to be safer.....

I appreciate all help and advice. I will do whatever is needed to make sure this doesn't happen again including never letting the child on the PC for anything other than homework. LOL.

Take care.

 

other log files. Again I know that some were originally not done in accordance with directions but I realized that the original errors may be in them so attached them along with the ones that I did in the correct order.

Thanks a bunch.

 

sorry on the issues. I'm not that adept. I do realize it didn't work anyway as once I restarted the search under windows icon wasn't working again on the admin account. I already reenable UAC and disabled system restore on this admins account. Mattman45 is the administrator..... or supposed to be. he has another account which is just mattman.

So does this mean I have to run all this on every accounts desktop individually?

I have the disks to reboot which are the backup we created when we first got the pc? Or isn't there also an extra drive D:? SOrry not sure which you want.

What should step 1 be and which account should I start with, the admin or his? Plus there is a extra account.

How would the admin account get infected if nobody signs in as the admin?

Thanks. I will do whatever is needed. It was scary the first time we ran SAS on this pc. Seems he was using multiple antivirus and possible one was corrupted as he had Norton and Mcaffee and AVG so when I said to him did he run, I'm not sure what he was running as we weren't paying for Norton nor Mcafee and not sure where they came from.....

Gracias. i will await whatever you say.

 

Sadly we don't have a bootable windows 7 DVD as they provided all the software on D: as the backup.

Is there any way to use the D: recovery drive?

If not, I guess I can contact HP and if I do as it's still under warranty, what would I explain that the MBR possibly has a virus?

Thank you for the amazingly fast response time. I was just reading the forum logs and was shocked on how quick you were.

 

Thanks again. I'll do this but, I want some free time to run it all and will try to find time tomorrow. What account should I sign into when I try it?

I tried to sign on to my sons account and got an error message that his password expired and must be changed. I didn't think they expired on Windows 7 Home edition. I've never seen this before as he's not on a network so I was weary of doing any changes. Is it ok to set up a new password?

When I enable UAC I can't search and the windows menu search feature doesn't work either. Is there any issue keeping it disabled?

I tried to print on the wireless printer and it didn't work. i wanted to print out all the instructions. Is there any relation of not being able to print with all the stuff we've run? Should I try to reinstall the printer?

In the meantime I did all the runs correct this time in the account that has admin rights (still not my sons). all came out clean this time. Still have the same issue though it appears with MBR so tomorrow I'll work on something new and exciting. I'm going to post the clean logs in the meantime JIC so all info is there.

Have a great evening.:zzz

 

Missed 10 minute cut off so another question as the instructions have me downloading Imgburn to burn the disc. Isn't this software ridden with ads and is it safe or is there another software to burn the CD that I can get?

 

OK I did the fixmbr what is the next steps? UAC is off still.

 

Q. Does it matter which account I run mbrcheck from?

So far the account mattman45 that has admin rights is fine and I still haven't signed onto his actual mattman account.

I'll run it in the account I've been running it in and see what happens.

If it gets a clean bill of health, I'll then do all the steps on the mattman account.

Much warmth and regards.

 

Here is log. Ran from mattman45 account with admin priveleges.
Wierd it has the time at AM and not pm.
Should I fix the time clock?
Let me know if I should sign on into sons account. He admits to using the admin privilege account hence all the issues mattman45 has. Not sure about mattman user account yet.

should I do all the spyware in order on the mattman account now? or which ones?

I can no longer print from this account. I was able to prior to all the runs.

Thanks again.

 

oops I reran as I forgot to shut off all security first.
Here's a new run.

 

Sorry for confusion as I thought it was part of mgtools as I don't remember running it before.

Here it is and hopefully it's clean.

Thanks.

 

Haven't been using the pc. What has been on the mattman45 has been fine. If I sign into mattman account which was the primary account my son used, should i do all the steps again or only specific ones (this is the account that hasn't been signed onto and needs a new password, I'm sure it will have issues in other words).

Thanks

 

New logs.
1. time on pc is still backwards saying pm when am. should i fix this?
2. I could not uninstall google chrome even using cccleaner removal too. I was trying to remove it as on mattman45 it was removed and I couldn't reinstall it, when I saw it still listed on mattman account I figured this may be a problem.
3. is registry mechanic an ok program as it keeps popping up?
4. Combofix was showing up as read only originally so I reinstalled and changed name to run it.
5.malaware bytes showed 10 issues fixed
6. sysmain superfetch? when i was shutting off running processes. Don't believe I've seen that before.
7. I still can't print wirelessly.

Thank you.

 

other files since 4 max

 

Thank you so much. I tried using revo and got an error message that it could not open INSTALL.LOG file.

Is this a software issue or possibly still malware?

This is such a wonderful sight and amazing.

 

I also found bttr.exe to be set to run at startup and understand that to be malware. Should I run something else? I'm still signed into my sons account

 

If I go to Start and type anything in the search box it finds nothing. Even excel, powerpoint, msconfig. I can choose from menu options but once I type in the search box it's blank.

 

I choose start and all the start menu comes up including the blank search box. Once I enabled UAC per your last post, now whenever I type in that box then the actual menu above disappears like it's finding nothing. Basically the search feature is disabled. Although if I leave the box blank and choose all programs I can find them. Even if I type msconfig it's blank but if I choose run and type msconfig it works. So the feature got disabled somehow.

the bttr.exe was bluetooth,so it's then okay?

I'm not having an issue with Windows updates on the pc. I did sfc /scannow to fix the missing .dll file and the scannow.txt file was completely blank when I tried to open it in notepad, using edit function gave me that edit was not valid.

so the sqmapi.dll file is missing. I tried to find it on the Windows 7 disc and couldn't . Is there a safe place I can get this file and how and where should I put it on the PC?