Highly infected computer

Hello,

I'm trying to help a friend fix his computer. He called me because it was acting funny, and I've done all the steps in Read and Run Me First.
He said the computer was disconnecting him from the internet spontaneously, could not reconnect despite seeing a valid connection symbol on computer. Also, would only connect through Thinkpad software, couldn't enable the Windows software to do it.
It would show certain links when doing searches, but then would only open certain ones, redirect others, fail to open certain pages.
At first I thought it was internet explorer problems, but after resetting, and trying other easy fixes, I quickly discovered it wouldn't allow any windows updates, or other updates either. I brought it home to take a closer look and discovered a trojan buried in White Smoke Translator.
I started using the tools to clean it in Read and Run Me First, and it found a lot of things using those tools.
I would like help to properly clean this computer, get it working well again, and able to do updates. It's running Windows XP Pro SP 3, and it's a thinkpad lenovo, both things I'm not as familiar with as home versions.
I am attaching logs here. Please let me know if more information is needed.
Thanks very much for your time in helping me,
Rebecca.

 

Thank you for offering to help me. I tried to put in into normal mode. It said an access denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes. (I am working from an administrator account) Ok was the only option, clicked it. Got the same error message with the same Ok being the only option. this time I clicked it and another ok popped up, I clicked it too and then this message: You must restart your computer for some of the changes made by System Configuration to take effect. I restarted.
Then I tried to remove White Smoke Translator again. Got the same error message: Error launching CheckLockedWsDictFiles.exe. Ok was the only option, so I clicked it.

So now my question is: do I continue with the rest of your steps or do I stop here and wait for further instructions?

Your advice is much appreciated,
Rebecca.

 

Thank you. I've continued with the other steps, albeit with some issues along the way. I'm now on step 7, and I wonder, where do I delete them from? There is no mention of these files in the jrt log on my desktop, however, both files exist on my computer in the paths shown. Do I delete them directly from there?
Thanks, R.

 

Hi,

As you read below, I had issues with putting the machine into normal mode. It finally did it. Could not remove White Smoke Translator. I continued as instructed:
When running Hitman I didn't see any spot to select "delete malware remnants & potential unwanted programs". There were options to click next and next, so I did. It scanned, found a lot. Selected delete for all except MGTools.exe. Rebooted machine.

Side note: the machine always starts in fingerprint mode, doesn't seem to be a way to turn this off, have to hit ctrl alt del to get it to use user name and password instead. ​

You asked if MBAM fixed what it found? I believe it did. He has a paid version of it on his computer, so it acted differently than in the instructions for the free version. And it was difficult to determine which scan I should attach to the original email because there were so many logs in the file, as opposed to free version which usually has only one log.
Should I rerun MBAM?
Running Rogue Killer had problems too. It asked to update via the website, I said yes. Insisted on installing browsersafeguard with it. Then appeared to be installing express_installer.exe. I was given an option to decline and skip all, so I selected it. Double clicked Rogue Killer again. Asked to update again, I said no to website this time. Scanned, file tab didn't have check spots, but the registry tab did, so I clicked delete and it opened a firefox tab from adlice software saying zero access removal with Rogue Killer. Restarted machine.
Box popped up saying AcWLIconWnd - End Program. I clicked End Now and it finished restarting.
Junkware Removal Tool went well.
I didn't understand instruction #7. The files you specified did not exist in the log that popped up. They did exist in the file locations specified. Was I supposed to delete them from there? I did not do this.
Step 8 Regedit4 was successful.
I ran Windows Repair, it kept asking me if I wanted to run that file. I said yes a lot of times, then finally unclicked a box below that said always ask for files of this type & run. Did I now uncheck a box that should remain checked for future users of this computer?
I rebooted the machine and the firewall is not working, I believe this is because I disabled mcaffee as much as I could because I find it annoying and it interferes with everything! I left it turned off for now.
Ran Rogue Killer again, again asked about the updates on website, I said no. Scanned.
I've attached logs here. I would like some assistance getting White Smoke Translator to uninstall completely please. It concerns me that I couldn't complete that instruction.
Are things running well now?
Not exactly, I tried running Microsoft update and it opened IE with a pop up window that says: A program on your computer has corrupted your default search provider setting for Internet Explorer. Internet Explorer has reset this setting to your original search provider, Google (www.google.com). Internet Explorer will now open Search Settings, where you can change this setting or install more search providers. Only option is OK. Clicked ok. It opened search providers and I deleted mcaffee safe search and bing. Continued checking for updates through custom so I could see all possible updates.
It seems to be checking for updates endlessly, meanwhile at the system tray at the bottom it shows a little yellow shield with an exclamation mark in it that says downloading updates and a percentage that keeps increasing. It said it had updates available while the browser window showed itself as still searching. I clicked to install the updates and a lot of Windows Security updates came up. I'm installing them now.
2 updates could not install:
Security Update for MS Office 2007 Suites (KB2687499)
Update for MS Office Outlook 2007 Junk Email Filter (KB2760586)
then I restarted the machine.
Then more updates for McAffee and Windows.
It has remained connected to my internet connection without disconnecting spontaneously for several hours now.
It seems to browse fine and click on all webpages on a search, and able to go to secure websites such as aircanada again.
Except for not being able to get rid of White Smoke Translator, the problems seem to be fixed. Thank you very much for the advice that led to this point so far. Could you please help me to correctly and completely uninstall this malicious software?
Thanks, Rebecca.

 

Hi,

I ran MBAM again. It removed 5 objects. Restarted machine.
Hitman only found MGtools.exe, I'm embarrassed to admit that I hit next too quickly and it deleted it. Got the log.
Ran Revo Uninstaller, came across the same error message. I pressed OK and cancel since uninstall wouldn't work, but then Revo Uninstaller did the rest! Very cool tool. Can I use it on almost any program that is difficult to remove, ie: McAffee?
I deleted the file GUM28.
I reinstalled MGtools and then it ran itself. I'm attaching the log as wrongMBAM. Then I ran the GetBAT file. Attaching the log here.
I have no idea how I ended up with 2 Hitman logs.
Thanks for your assistance,
Rebecca.

 

Hi,

I think everything is running ok. Last night I thought we finally had it clean and then a pop up came up all by itself: Lenovo Blue Host "Ready to create your website?" Idea Notes. I'm not certain but I think this is something that came with the ThinkPad computer, but still, it seemed odd to see a pop up asking you to sign up for something that would cost $5.95 per month.

If you say to ignore this then I will, and in that case, yes, everything seems to be working well and we're ready to proceed with final steps.

Thanks again for your amazing support through this problem,
Rebecca.

 

Thank you for your help so far. There were quite a few files the bat file didn't get rid of, but I deleted them like you said. That's when I noticed the recycle bin is deleting items by itself, when you click on recycle bin, there are no files in there. How do I turn this off?
Also, when restarting the computer after doing the system restore for about a minute I had what looked like the blue screen of death with a Windows XP logo in top right corner and a line that said: HitMan Pro Surfright 3.7. I didn't get it exactly, and then it showed the log in screen. Also, the recycle bin was temporarily in the bottom right corner and after I clicked it open it returned to it's position in line with the other icons on the left. Are either of these problems?
After restarting I tried the first program I know he'd use and that's Outlook. It worked, but it pulled in all his messages again, so now there are obvious duplicates in his inbox, same dates, same times, not so obvious how to get rid of them. Could you help me to get rid of the duplicates please?
Other than that everything seems to be working very well. I'm hopeful the above doesn't indicate more viruses or malware.
Thanks,
Rebecca.

 

Ok, I can do that on another post.

Thank you so much for your invaluable assistance. This was a highly infected computer and you helped me so much! I couldn't have done it without you. Thank you for the time you've given to this project. Majorgeeks is the best thing on the internet!

Take care,
Rebecca.

 

Yikes, are you still there Kestrel?

I tried uninstalling a program from the computer and it didn't work. So I tried using the Revo Uninstaller program and it seems to have stalled, it's 3/4 of the way through the uninstall process and now it won't show me the next key to be able to continue completely uninstalling it.

The program is called Interface (used by realtors) and is usually easily uninstalled and reinstalled with the latest version, I don't know why it's giving me difficulty.

My questions are: how long should I wait? How do I stop it if it truly is stuck?

I know this is above and beyond the call of duty, if you could help that would be greatly appreciated!

Thanks, Rebecca.

 

You are so amazing to even answer my call for help! Thank you so much. I should not have been so impatient and right around the time I got your reply it finished what it was doing, successfully!

Thank you again for your expertise and tools and advice, and for being there after you thought we were done!

You're amazing!

Thanks, Rebecca.