I have a friends old computer that is badly infected. It is an old socket 478 P4 with hyperthreading and is very slow. He want to have me disinfect it for him to reuse as he can’t afford a new PC.
I notice it has created several user accounts even though there are only 3 accounts.
It also has created an administrator account that is password protected and no way to access the original three accounts as it always says I need admin privileges.
Here are the requested attachments from the sticky.
Here is the aswMBR log as well. I am allowed only upload 4 files per message.
Hi, MarkJohnson
Can you explain this to me more detailed?
I notice it has created several user accounts even though there are only 3 accounts.
Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Under the users folder (documents and settings), there is several different user accounts.
The main three are:
Steve
Lane
Will
Then each one has offshoots:
Steve.STEVE-DCD439417
STEVE~1~STE
Lane.STEVE-DCD439417
Lane Sari
Will.STEVE-DCD439417
Also, adminitrator has one
Aminitrator.STEVE-DCD439417
All Users has a different secondary account.
All User.WINDOWS
If I go to the start menu, ot says Steve, but command prompt shows Steve.STEVE-DCD439417
If I try to access Steve, Lane, or Will through windows explorer, I get need admin access, and click yes, then it just comes back up for admin access, never giving it to me.
I attached a picture of my Users folder (Document and Settings) called usersfolder
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKU\Lane.STEVE-DCD439417\...\Run: [MyWebSearch Email Plugin] - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1
HKU\Will.STEVE-DCD439417\...\Run: [DealAssistant] - C:\Documents and Settings\Will.STEVE-DCD439417\Application Data\DealAssistant\dealassistant.exe
C:\Documents and Settings\Will.STEVE-DCD439417\Application Data\DealAssistant
SearchScopes: HKCU - {EB362DE5-841B-4D95-BABF-15E7DF8C412D} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=0D90AAC2-7309-4E68-A2C0-E2AF5628D7FF&apn_sauid=0DEED6AB-A302-4448-8107-E569C40AF7A6
Toolbar: HKCU - No Name - {9D4FBF3A-0843-430E-93D8-6540190D3914} - No File
C:\Documents and Settings\lane\hpothb07.dat
C:\Documents and Settings\Lane.STEVE-DCD439417\jagex_cl_runescape_LIVE.dat
C:\Documents and Settings\Lane.STEVE-DCD439417\jagex_cl_runescape_LIVE1.dat
C:\Documents and Settings\Lane.STEVE-DCD439417\random.dat
C:\Documents and Settings\lLane Sari\hpothb07.dat
C:\Documents and Settings\Steve.STEVE-DCD439417\hpothb07.dat
C:\Documents and Settings\Steve.STEVE-DCD439417\jagex_cl_runescape_LIVE.dat
C:\Documents and Settings\Steve.STEVE-DCD439417\random.dat
C:\Documents and Settings\lane\Local Settings\Temp\MSIMClientSetup.exe
C:\Documents and Settings\Lane.STEVE-DCD439417\Local Settings\Temp\jre-6u17-windows-i586-iftw-rv.exe
C:\Documents and Settings\Lane.STEVE-DCD439417\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Lane.STEVE-DCD439417\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\Steve.STEVE-DCD439417\Local Settings\Temp\lowproc.exe
C:\Documents and Settings\Steve.STEVE-DCD439417\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Steve.STEVE-DCD439417\Local Settings\Temp\stubhelper.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\FP_PL_MSI_INSTALLER.exe
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna1729584826824709865.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna2844490633014443991.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna3066180800488529671.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna3539815462352464712.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna387560194151699619.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna5192460568394695386.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna521649092155462417.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna5847565165397955053.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna6404761330644359964.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna6532036411290653922.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna6587477333838688037.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna6829395141736070725.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna7597608420213908250.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna872345477951331828.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jna8724480127979752842.dll
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\NEW138.tmp.exe
C:\Documents and Settings\Will.STEVE-DCD439417\Local Settings\Temp\setup_wm.exe
HKU\Will.STEVE-DCD439417\...\Run: [AVG-Secure-Search-Update_0913a] - C:\Documents and Settings\Will.STEVE-DCD439417\Application Data\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 73ac23dc891a47d19833d14530716aac-06ce4fc639803a2e3563922518183d8e94088cb9 --CMPID 0913a
(AVG Secure Search) C:\Program Files\AVG SafeGuard toolbar\AVG-Secure-Search-Update_MAY2013_TB.exe
C:\Documents and Settings\Will.STEVE-DCD439417\Application Data\AVG 0913a Campaign
C:\Program Files\AVG SafeGuard toolbar
CHR HomePage: hxxp://mysearch.avg.com/?cid={54793A0A-5BD5-41AF-BB75-C2F910D3A046}&mid=73ac23dc891a47d19833d14530716aac-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2013-05-03 19:14:13&v=15.2.0.5&pid=safeguard&sg=0&sap=hp
CHR RestoreOnStartup: "hxxp://mysearch.avg.com/?cid={54793A0A-5BD5-41AF-BB75-C2F910D3A046}&mid=73ac23dc891a47d19833d14530716aac-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2013-05-03 19:14:13&v=15.2.0.5&pid=safeguard&sg=0&sap=hp"
CHR DefaultSearchURL: (AVG Secure Search) - http://mysearch.avg.com/search?cid={54793A0A-5BD5-41AF-BB75-C2F910D3A046}&mid=73ac23dc891a47d19833d14530716aac-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2013-05-03 19:14:13&v=15.2.0.5&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
CHR DefaultSuggestURL: (AVG Secure Search) - http://toolbar.avg.com/acp?q={searchTerms}&o=1
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\Steve.STEVE-DCD439417\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\plugins/avgnpss.dll No File
R1 avgtp; C:\WINDOWS\system32\drivers\avgtpx86.sys [37664 2013-10-01] (AVG Technologies)
C:\WINDOWS\system32\drivers\avgtpx86.sys
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Then…
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
It seems pretty aslow still. It’s rerally hard to tell as this is a slow single core P4 with hyperthreading and old PATA hard drive. It’s about 10 years old.
It feels pretty sluggish even at that.
I had 2 issues.
First, it says Spyware Doctor was running, when it wasn’t in the system tray and I had no way of turning it off.
Second, it reported it couldn’t find Windows System Recovery and it downloaded and installed it for me.
I have uninstalled Spyware Doctor after scan completed and rebooted. It had errors, but was uninstalled and also reported it was shutting down the service, so it was apparently running partially. Although it never ran manually and always gave an initialization error or somesuch before.
I’m currently away, we’ll continue later…
Re-run FRST, click on Scan, and attach fresh log…
Here are the scan results.
Hello,
Open notepad and copy/paste the text present inside the code box below:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=-
Folder::
c:\documents and settings\Lane.STEVE-DCD439417\Application Data\AVG SafeGuard toolbar
c:\documents and settings\Lane.STEVE-DCD439417\Local Settings\Application Data\AVG SafeGuard toolbar
ClearJavaCache::
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
About multiple users you asked.
All Users.Windows is created when Windows is reinstalled without formatting the partition.
Other folders are probably created on the same way.
Can you open these strange folders, and attach the ScreenShots of all folders.
Here is the log.
I’ll add the screenshots.
Is there other folders you need?
Computer is clean, no malware/adware present…
These folders are made by installation, they are not related to malware.
It’s and old PC, and P4 (which is very old) isn’t fully capable to fulfill today’s resources needs. So slowness is directly affected by configuration…
That’s what I assumed.
Thanks so much for your help.
-=Mark=-
No problems 
Let’s clear the tools:
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
Stay safe, and keep your software updated, especially system, Java, Adobe Reader, and browsers
Best regards.