Mostly recovered, but still problems...

Hi,and thanks a million for the excellent tutorials.

I have been trying to help a friend with limited computer experience with his laptop,which has been on a broadband connection for almost a year, without any anti-spyware, firewall or anti-virus software installed. (Some of the included logs may have 2007 bin them, because his system time was wrong.)

He had some xp antispyware 2009 installed, which was obviously rouge. We had advised him to run Spybot, which he had done, and he said it found over 200 items on the first run, about 50 on the second, and by the time I got it, it still found about 7-9 items: Smitfraud-C, something I don't remember and Task Manager had been disabled.

By time I got the computer,it would no longer run Spybot, it had a "spyware-warning" on the desktop, warning messages came up from the taskbar continously, Task Manager would not run, it would not accept a flash drive in the usb-port, and I did not want to hook it to the internet, since the "no internet connection" kept coming on in sequences of about 4 every 30 seconds.

I used tasklist and tskill in the command-prompt to kill the following processes, some of which I found as bad through google, others which just looked suspicious:

uesiuqcr.exe, hgrghmru.exe, Gool.exe, SpeedRunner.exe, epwvffr.exe, okrqm.exe, Facegame.exe, brastk.exe, GetModule23.exe, GetModule24.exe, okrqa.exe​

After that, the constant spyware warnings stopped, I was able to change his desktop, put a flashdrive in and run an updated version of Spybot, which still found Smitfraud, Task Manager disabled and a third item I wish I remembered. This is where found your malware forum online, and followed your instructions as follows:

Ran CCleaner, worked ok. Uninstalled "RON Tool Bigadnetwork", "ask toolbar" and Advanced REgistry Optimizer via the control panel. There were no java installations to uninstall.

I downloaded the software according to your instructions.

I ran Super Antispoyware, which found a lot of stuff - I forget why, but somehow I must have run it twice in a row. It found something the second time, too. I ran Spybot again.

When I tried to install MBAM, I received two Windows error messages during the installation, and another two error messages when trying to run it, and another two when I uninstalled it.

ComboFix worked.

MGTools ran, but after accepting the Hijack this license agreement, there was another Windows error report, and it did not install.

Thinking there still is some bad stuff on here, I ran the Avast scanner which did not find anything, and SmitFraudFix as suggested in your additional scans suggestions.

Oh, and after running SAS, I could hear the harddrive having problems, so I ran checkdisk, which found about four files with bad sectors, it has been good since.

Thank you in advance for your help.

 

More logs... (I attached the log from spybot and smitfraudfix... hope this is ok.

Thanks again in advance!

 

OK. The bold text merged with the registry.

I deleted the files you mentioned, but I got an access denied message to the dwjcpovi folder . I found the program hgrghmru.exe was in it, and looking in task manager, it was running. I ended it, and then the folder deleted ok.

Should I install an anti spyware program before the cleaning has completed?

I have had some trouble with the latest AVG Free on an older laptop, although a little bit newer than this one. Is avira ok? What would you recommend for someone who doesn't understand what the popup messages from the virus software means... ?

Btw, I have noticed that - like another user on the forum - I got "low virtual memory" messages even though nothing was running.

Thanks again! (Again, I got an error message when running MGTools, about hijack this, and; new this time, an error message at the end saying that the application failed to initialise properly)

 

Thanks, Tim.

I followed the steps, I first had problems turning System Restore on again (error message said to try again after restart), but after a couple of restarts, it seems to be on (without me trying to turn it on again). Hope that's ok.

I installed avira free, and it found some stuff in the c:\recycler folder - which I assume is the recycle bin - even though the recycle bin was supposed to be empty. It also found som e stuff in Spybot's RSTORE folder... I deleted the whole folder - and afterwards hope that that was ok to do...

It also found a trojan in theC:\...\Common Files folder, in a "okrq" folder, which contained 4 executables, I deleted the whole folder.

I got an error message ("Windows has encountered a problem with avira...")at the end of the scan, I re-started and re-scanned, and got no new viruses found, only two warnings:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
​

I assume that is ok.

Is there anything else you think I should do before giving the pc back to its owner...

Thanks again for your help!