Windows XP shunted! Plz help me clean my parents' PC...

[neuroticinsomniac]

It happens to us all: being called upon to provide IT support for the folks!
Well, Mom's gone and got her XP box completely jacked, and I'm charged with cleaning up the mess.

Whatever it is, it's getting past the Free Avast! boottime scan, and so I've followed the excellent instructions given by essexboy on the thread: http://forum.avast.com/index.php?topic=53253.0

Hopefully it's cleaned up now, but here's the MBAM log.
Unfortunately the OTS log was too large to attach. I will split into two files and post again below...

 (...and BTW, I've told them over and over again, for the love of all things Holy, PLEASE give up on AOL! but sometimes you just can't win.)


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/1/2011 1:28:26 PM
mbam-log-2011-06-01 (13-28-26).txt

Scan type: Quick scan
Objects scanned: 168494
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




A big ol' "THANKS, Y'ALL!" from Texas...
- John

[essexboy]

If it is too big to  attach then upload to Mediafire and post the sharing link.

[neuroticinsomniac]

Great suggestion, and thx for quick reply!
http://www.mediafire.com/?pdbb2vcb7ia7c20

[essexboy]

Have you lost all the start menu programmes and desktop icons ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\] > -> HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\] > -> HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "UtYUtxpPbB" -> [C:\Documents and Settings\All Users\Application Data\UtYUtxpPbB.exe]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\] > -> HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  16965412 -> C:\Documents and Settings\All Users\Application Data\16965412
NY ->  ~18341668r -> C:\Documents and Settings\All Users\Application Data\~18341668r
NY ->  ~18341668 -> C:\Documents and Settings\All Users\Application Data\~18341668
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Compaq_Owner.PHYLLIS\Desktop\Windows XP Recovery.lnk
NY ->  18341668 -> C:\Documents and Settings\All Users\Application Data\18341668
[Files - No Company Name]
NY ->  16965412 -> C:\Documents and Settings\All Users\Application Data\16965412
NY ->  ~18341668r -> C:\Documents and Settings\All Users\Application Data\~18341668r
NY ->  ~18341668 -> C:\Documents and Settings\All Users\Application Data\~18341668
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Compaq_Owner.PHYLLIS\Desktop\Windows XP Recovery.lnk
NY ->  18341668 -> C:\Documents and Settings\All Users\Application Data\18341668
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[neuroticinsomniac]

You were correct, all desktop icons were hidden, as were all Programs. The background color was changed to red as well.

I may have jumped ahead in my haste, and I apologize...but I ran a full MBAM scan again overnight and "fixed" some more things.

Here's that report:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/2/2011 4:51:37 AM
mbam-log-2011-06-02 (04-51-37).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 318088
Time elapsed: 2 hour(s), 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\RP13\A0016998.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\RP13\A0017000.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\RP13\A0017001.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\RP13\A0017002.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\RP14\A0017272.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp30\a0033316.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.



I just now ran the OTS fix you provided, and here is the resulting report:


[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\UtYUtxpPbB not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ not found.
Registry value HKEY_USERS\S-1-5-21-2554975061-1779180781-1490098313-1009\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ not found.
[Files/Folders - Modified Within 30 Days]
File C:\Documents and Settings\All Users\Application Data\16965412 not found!
File C:\Documents and Settings\All Users\Application Data\~18341668r not found!
File C:\Documents and Settings\All Users\Application Data\~18341668 not found!
File C:\Documents and Settings\Compaq_Owner.PHYLLIS\Desktop\Windows XP Recovery.lnk not found!
File C:\Documents and Settings\All Users\Application Data\18341668 not found!
[Files - No Company Name]
File C:\Documents and Settings\All Users\Application Data\16965412 not found!
File C:\Documents and Settings\All Users\Application Data\~18341668r not found!
File C:\Documents and Settings\All Users\Application Data\~18341668 not found!
File C:\Documents and Settings\Compaq_Owner.PHYLLIS\Desktop\Windows XP Recovery.lnk not found!
File C:\Documents and Settings\All Users\Application Data\18341668 not found!
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.43.0 fix logfile created on 06022011_051255


I will hold off doing anything else until you give the go-ahead.
And again...thanks so much for your help with this!

- John

[essexboy]

I hope that you have not emptied your temporary files as the shortcuts may be hidden there

Download Unhide.exe to your desktop and run

On completion let me know if the desktop and Icons are back

Could you also run a fresh OTS scan for me please

[neuroticinsomniac]

Things are looking better, kind Sir! I now see desktop items that I never knew existed.

Now, I can only hope that other machines at their house are not infected. In fact, I should get over there right away and install MBAM...

The new OTS log (~250KB) is here: http://www.mediafire.com/?loob39z61qjre5j



Again, thank you so much for your help.
- John

[neuroticinsomniac]

Something I just noticed on the desktop...is this significant?

A text document titled "hs_err_pid2712", and I posted it here: http://www.mediafire.com/file/4vqc7aygnh6hezc/hs_err_pid2712.log

[essexboy]

It appears to be a hotspot error report on a java call - what are your current problems ?

Run Fix button.

Code: [Select]

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  Symantec NetDetect.job -> C:\WINDOWS\tasks\Symantec NetDetect.job
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[neuroticinsomniac]

I'm not aware of any Java issues at the moment, that file just appeared on the Desktop after we "unhid" everything. No worries then.

Here's the latest OTS fix log.

[essexboy]

Nope - what are your current problems ?

[neuroticinsomniac]

Everything appears fixed!

[essexboy]

Run your computer as normal and if you are still happy tomorrow let me know and I will remove my tools

[neuroticinsomniac]

So far so good today. I can never predict what they will innocently try to install next, but I'm better prepared for it now.

Let me know what you need to "clean up" and I'll get this back over to them...and set about checking out the other two PCs there very carefully.

[essexboy]

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Empty Temp Folders]
[EmptyFlash]
[ClearAllRestorePoints]
 
The fix should only take a very short time.

Run OTS and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

• Go to this site  and click Do I have Java
  
• It will check your current version and then offer to update to the latest version

SPRING CLEAN
 
Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check




Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave: