Personal Antivirus, Trojans and iNetProtector

Hey guys, I have found more malware on another computer, Celeron 440@2.00GHz 1.06 GB RAM. I can't even go to a conference and be left alone by the malware. This time it's the computer in a common area where I am staying and a lot of Millenials use it to use Facebook, etc. I'll be here until Monday morning, so I'd like to work on it this weekend; I'd like to finish the cleaning I started, but I know you guys are probably running 5 days behind posts, so I'll understand if you cannot get to me in time.

Yesterday morning a guy beat me to the computer to look at email and there was a MS crash report when he left. My email was incredibly slow compared
to the day before. When I tried to read Yahoo email in the evening, it would barely load and I had to close it with Task Manager and got a MS crash
report. Then I noticed the red X on Windows Security Center and found there was no antivirus on the computer. Then a page with Personal Antivirus appeared and said it was never activated (did not realize it was malware at first). I went to the front desk guy and asked him why are you running a computer without antivirus (and no firewall either I later noted). I think you are infected. So I told him I would start cleaning.

CCleaner showed 629 MB to be removed but hung on a weird name .gif temp internet file. So I unchecked the IE temp internet files and it removed 274 MB. When I rechecked to remove them only 22 MB more were removed.

In Add or Remove Programs I found a suspicious iNet Protector 3.5.2 but left it for the time being.

The guy at front desk did not know the password for the Owner admin account, so I went into safe mode and created a new admin account for me to use. I discovered IE7 on reboot.

There was no Sun Java on computer so I installed it. Adobe Download Manager tried to install but I closed it with Task Mgr.

I turned on MS Phishing filter when it came up.

I ran SAS last night--found Rogue Personal Anivirus.

MB got turned off first run after I went to my room and left a note on the computer to wait for the scan to finish. A Millenial just insisted she had to use the computer.

When I got back on iNet Protector had a box urging order to take back internet usage for only 29.85, 30 day money-back guarantee! I tried to remove it in Add or Remove Programs but it asked for a password and would not let me remove it.

On running MB again, it found 8 Trojans.

Combofix ran fairly quickly, so did Rootrepeal and MG Tools.

Computer is faster to read email now. iNetProtector is still putting up its order screen. Plus I saw that miserable Windows Messenger in a menu, so I bet it is on here too.


So I've been spending the rainy evenings with my favorite new pastime--Malware Removal! Hope you'll be able to help me.

 

Rest of logs

 

Hi Tim.

Yes, no AV! Crazy, aren't they?

I imagine a couple dozen people have been using this computer while I was at the convention center all day. I would have to beat these kids unconscious to pry their hands off this computer. I'd never seen Facebook until coming here.

The fix of HJT took iNet Protector out of systray, but it still has a folder with 2 hook.dlls and another iprotect.exe.

I received a success message about adding the fix to the registry.

I cannot delete delete C:\Program Files\iNet Protector\IProtectorService.exe. I get message box Error Deleting File or Folder Access denied. Make sure disk is not full or write-protected or file is not in use.

The MGTools zip is attached. Thanks.

 

Tim, I no longer have access to the computer.:cry My conference ended and I headed to the airport at noon on Monday (yesterday). I did as much as I could Monday morning before I left, and at least I left the computer in better shape than I found it. I'll tell you what I did below. I'm going to have to email the owner to complete your steps, or more likely, get a techie to help him finish up.

I need to 'fess up that I thought I would run out of time before you got back to me, so I went ahead with adding things from Chaslang's sticky "How to Protect yourself from Malware!" before we could finish this cleaning, and I put on AV and FW. Because you had recommended PCTools FW as light on resources (as had someone else in the Software Forum), I put on PCTools AV and FW. Got only a false + nir.cmd? on the AV scan. I wanted to ask you if I should have installed the AV sooner since there wasn't one at all when I started cleaning. The computer was so slow that first evening that it took me four hours just to run CCleaner, SAS and MB.

I installed Spybot and found banker.phb Trojan and three tracking cookies--fixed, of course.

I fixed Active X settings per the sticky.

I downloaded Spywareblaster and set it up.

I downloaded the update for Disabling Autoruns and then completed that procedure.

I discovered Windows Update had 32 critical updates that the malware must have been preventing from download (Automatic Updates was set for download then notify, but the gold shield icon was not displaying in systray until I had done a lot of these sticky items, and then it just showed the IE8 update). Since IE7 is on the computer, I installed all but IE8. I had installed Spyware Terminator, and it kept asking me to allow the updates. I would change it to installation mode and installation mode would be deactivated after each. KB920213 failed and was not installed the first try but did install along with the 5 software updates I chose. Then I had 8 more critical updates to install. The computer has Win XP SP2. Do you think it would have been all right if I had gone ahead and put SP3 on? I was running out of time so I did not install SP3.

On Sunday night I didn't think about going into Safe Mode to delete the iNet Protector file, but on Monday morning I thought I would give that a try. To my surprise, I deleted every file in the folder and then the folder itself. Back in Normal Mode I ran CCleaner on the first tab and then registry issues.

PCTools had not updated for two days and Windows Security Ctr had had the red X. After removal of that iNet Protector folder, PCTools AV is back to updating--seemed it was prevented before.

While I was in Safe Mode, I changed the owner's account password to something containing his name, and I left him his new password and the password I had used on my account. There is a limited account with a password that all the friends and guests can use. In addition, somehow the guest account disappeared from Safe Mode and showed up in Normal Mode ( found this had happened days ago when I left Safe Mode after creating the admin account I used for cleaning). Is that a question for the Software Forum?

Computer seemed so much better when I left. Thanks for all your help. I'm going to urge the owner to finish up as you suggest.

I sure would have liked to have been able to do the rest of what you are recommending. I always like to complete whatever I start. Plus I think it is fun to kill off the malware.

My thanks to you and Chaslang for helping me in the past and answering my questions so I can learn more. A couple of months ago I would not have had any idea of what to do. Today I am in a different city and I put all of Chaslang's sticky on my sister's new laptop; I'm using it now to reply to you.

 

Tim, unfortunately I had to fly out on the 26th to my next destination, so I was unable to do anything in your reply on 102709. I was attending a conference and came across the infected computer there when I tried to use it to read my email, but I will not be going back.

I called the owner and told him there were still cleaning steps to do. I told him I was emailing him your 102709 reply and told him I would help him by email to do the steps you recommended. He told me he would "take care of it."

I'll contact him again and urge him to do all that you said. Unfortunately, since he had been using this computer without AV or FW, and did not seem at all aware that he needed them, I wouldn't hold my breath waiting for a response from him. I will see if he will email me the MGLogs.zip that you requested. If he does, I will attach it so you can see what still needs doing. I'm curious too and I'd like to see everything finished.

Would you answer a few questions for me so I'll know next time? Should have installed the AV sooner since there wasn't one at all when I started cleaning? Is it best to wait to put SP3 (or even the missing Windows updates) on after the cleaning? I thought I saw Chaslang say something about it might corrupt the files or something if done before cleaning was finished. Last question is what to do about the guest account disappearing from Safe Mode and reappearing in Normal mode? I can go to the Software Forum to ask but I will not have the computer to work on no matter what.

Thanks for helping me, Tim. I appreciate all you do at Majorgeeks so much