User's machine hasn't had AV in 2 years!!! Completely overtaken! - Logs Attached

The user of this machine is an elderly man that is not very computer literate so he was not aware that his machine didn't have any AV on it for the last 2 years or so. He took it to an independent "white box builder" shop back in January 2011 for infected behaviors and they used CCleaner, Malwarebytes, & Combofix amongst other things to clean his machine. They handed it back to him without any AV and failed to remove the last traces of Combofix (Qoobox catchme log, and such). The user had no idea how he was supposed to protect the machine after the shop "cleaned it". Recently the user recently complained of issues with slowness and his webmail (Yahoo) not working correctly. He was going to take it to the same shop until I asked to take a look at it. Thanks in advance.

 

Sorry about the HitmanPro log chaslang. I thought I put it up there since I had it like the others. I copied the logs to a thumbdrive and posted from a different machine. This machine has not been online since it was given to me. I refused to put it on my network since it appears to be well neglected. Log is attached.

Oh - just noticed that the log was too large (592k) for the forum limits and wouldn't upload. I guess I missed that issue at the time. I've zip compressed it an attached. Let me know if it comes through.

 

As the tale goes the user was having trouble with his Yahoo webmail. He has AT&T service so he contacted them to "fix" it. He says they remote accessed this machine and made some changes to help him. Their actions did not satisfactorily correct his issues so he instructed them to have Yahoo fix it. Supposedly Yahoo then remote accessed this machine to help him. The machine has been right since and he believes that maybe when his machine was remote accessed something went wrong then or thereafter. I'm not sure. I have yet to have him show me what Yahoo did to "screw up his email" as this apparently has happened once before. I'm not sure of the time frame the previous infections occurred but I also noted that Combofix was used by a local "whitebox builder" as its traces are still evident. I know from my past experience that using Combofix usually means serious infestation I just don't know if the people using it were well versed in its implementation.
The user is an elderly man reaching retirement and has little tech savvy and a complete dislike for change as many of my users did. His perspective of monumental change is a grain of sand to me but I am willing to help him.


I was having issues with the Windows Repair Tool after leaving it overnight. It ran for 20+ hours elapsed and yet it was only on 4 of 11. It had three command windows open at that time but they hadn't updated at all from the night before when I left the machine. The I decided to close the windows one by one and even though on of them hit me with a "this program is not responding" message they all finally closed and then Windows Repair continued to scan further. I had to do this a few more times until the reboot took place. The machine rebooted and now has a high CPU throttle (45-65%) and steady HDD activity with no input from me. I am going to attempt JRT next.

Update JRT just completed. As it stands the machine throttles 70-100% CPU with a steady 445- 460MB of Commit Charge memory in Task Manager with nothing but a desktop in front of me. No input from me at all. I will post logs momentarily.

 

Here's the OTM and JRT logs. I tried to get the logs for MGTools but because the CPU is running nearly 100% for the last hour or so that I have been on this machine running the GetLogs.bat it seems to take forever to get anywhere with it. It's been stuck on "Finding copies of WMIsvc.dll" for the last 45 minutes. I needed to go somewhere so I left it running until tomorrow. Thanks

 

Hey chaslang,

Per the machine owner's request I removed the necessary files they wanted to save and wipe the entire drive including the OEM partition with a 6 pass random wipe. I reconfigured the partitions with Parted Magic from my UBCD and installed a fresh copy of slipstreamed XP using the OEM key. The machine runs so much better without the OEM bloatware and simplifies additional install and config. The user has his machine back and his happy. I am happy to see it leave.

It turned out it was a legitimate PE known as Expiro. I have read one successful attempt at recovering from this nasty on a machine equivalent to my infestation. It was posted on bleepingcomputer by a user with a work related notebook that inherited a former users job position and machine. The machine was used for cell tower updates and therefore was prohibited from using an AV so the former user tried to use the machine on the internet anyway. I read the logs and they looked just like mine. Same files and pretty much the same quantity. The poster used a variety of removal software and mentioned a few that I have not seen mentioned in this forum. It all came down to one svchost file that was stubborn but finally eradicated.

Thanks for the help on this one. It was still a learning experience.

This thread is considered closed.