Hompage/background hijack among other things

I have been here before, and thanks to you fine people, my problems were solved. You can see what my problems were here.

I come to you again with a similar problem. I have my friend's laptop, which is where my malware problems originated from through MSN Messenger. He has done nothing about the problems so his computer is worse off than mine was. Hopefully you can help.

I followed the Read & Run Me First thread and have the required logs attached.

I was unable to run Bitdefender.

Forgive me if I have forgotten something.

Thanks in advance. Tell me what to do next.

 

Here is the HJT file:

 

Using add/remove programs which can be accessed from the control panel, uninstall the following: (If found)

Download

- Pocket KillBox

Extract to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)



Run HijackThis. Click the 'Do a system scan only' button.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.



Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.



Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.


REBOOT to Normal Mode.

Let me know how things are running now

Post a fresh HijackThis log, a fresh newfiles log and a fresh activescan log.

 

Thanks for the help.

This:

did not show up in HJT, so I didn't put a check by it(obviously).

I received 2 errors when fixing the problems in HJT. The first I accidentally clicked past so I don't know what it said. The second said this:

Everything is so far so good, though Active Scan shows differently, and it took a bit for the problems to show back up on my computer. I've included the requested logs...

Thanks again.

 

I need some more information about a file.

Download the zip file attached to this post and extract the contents to a folder on your destop.

Run GetDetails.exe

Paste the following into the textbox and click run report.

Upload the file it creates in the reports folder next to the exe.

 

Done. Here it is:

 

OK

Reboot into safe mode and delete the following

Post a new HJT log and a new Shownew log.

I think we are nearly done here, just a final check, (sorry for the delay!)

 

No problem, I'm just happy for the help.

File deleted. Logs:

 

Hmm it looks like this line that you couldn't find has changed itself to this one

The chances are that if you have rebooted it will have changed AGAIN but have a look anyway and see if you can fix it with Hijack This and then delete the file using killbox.

I don't think the file it points to actually exists, something is just putting fake startup entries in.

 

Looks like you are right, the file changes everytime the computer is rebooted. Looks like it starts with a d everytime, but that's about all I know about it.

This file:

was not in HJT for me to fix. I did however put the file path in Pocket Killbox, and received the PendingFileRenameOperations prompt.

I am unable to leave the computer on, the power cord is bad and requires some special 'love' to get it to power the computer.

I've included HJT logs and a new Shownew log. You didn't ask, but I figured you'd need them.

 

Coolness. Thanks!

Here are the logs:

 

Recieved a couple or errors when doing the fix in HJT. This is what I got:

and:

Found each file using Windows Explorer after a reboot into Safe Mode and deleted them.

The computer is running stable and much faster and smoother than it was before we started this whole process. I have not noticed any problems as of late, but I haven't been using the computer either. Seems to be running just fine.

Here are the logs:

 

There is only one user account on the computer. 2 if you count Administrator. This is my buddy's laptop, so I do not know its history. I did not disable the tools, and I doubt he did....at least knowingly. Perhaps a previous user? Is there a way for me to re-enable them?

 

Received this error:

Looks like the same sort of trouble we ran into when doing MY computer months ago. You had me download a registry editor and take a back door approach to things. Hmm...

 

Once again, I am doing this for my friend and his computer. He has the same problems I had. In fact, his computer is where my problems originated from, through MSN Messenger. My computer continues to be clean thanks to you.

At the end of the last thread, I asked if I could follow the same procedures to fix his computer, but was advised to start a new thread because his problems could be different, so I did. I only mentioned my last thread to see if it could help you out, looks like it did.

Anyway, I followed the steps of message 24 again. They did work. The folder C:\WINDOWS\system32\uyhererli could not be found. I did however find a hidden folder containing csrss.ini. The folder is: C:\WINDOWS\system32\nmqjnh. I deleted this folder.

A restart into normal mode and a double check shows the keys and weird folder are in fact still deleted.

Sorry for the previous confusion. Here is an HJT log and a ShowNew log just in case:

 

A question....

Yes, I did in fact uninstall Registrar Lite on my own computer. Should I not have?

 

Here it is:

 

Sweet! Thank you so very much chaslang and matt.chug!

I've set my buddy's computer up with the proper preventative measures. Hopefully I will not be back. Thanks again!