Hi,

I'm trying to get some malware off of someone's computer. They had a fake anti-virus that had locked down all controls on the system including the background and system restore control etc - I got past that, used the latest Malware Bytes' Anti-Malware on a full scan, then the latest AVG Free 9 with a full scan (all file types), and a Spybot Search and Destroy scan.
Also did an sfc /scannow (restore all altered MS windows files) - everything seemed to be working great. Got all the latest MS updates, installed Firefox and Chrome.
But the person I was trying to help brought it back to me and said it was acting up again. I then noticed when I was searching for something in Google using Chrome that my searches were being re-directed.
To test this, I typed in anti-virus and it displayed the correct results, but when one was clicked on, it re-directed to a phony AV site. So, I ran a full scan using TrendMicro HouseCall - nothing found. I did a full scan using Panda Activescan - nothing found.
At this point, Spybot, MBAM, AVG, TrendMicro, and Panda are all saying clean but it obviously isn't. MS files are intact. :confused:
The only thing I did notice is that I couldn't reset the TCP / IP stack using
netsh int ip reset resetlog.txt (see MS KB article here (http://support.microsoft.com/kb/299357)) It says it couldn't find the RPC service or something. I would tell you the exact error message but it doesn't give that error any more, it just accepts the command like nothing is wrong.
I also checked and there is no proxy set in Internet Options.
So, I ran HJT 2.0.3 beta and the log is attached here! Any help is greatly appreciated. If you need anything further from me, let me know. :)
:thanks:

I forgot to mention, I shut off System Restore (once I got control of the System Restore tab back) as well to get rid of the initial infection. (Well, I thought I got rid of it! :sick: ) It is off at this point.

j_r_2

Welcome to the forum. Let me ask you, are you helping a friend or do you do this for a living ?

You need to go to your profile and remove the link for Hard Light Productions, this is a forum for malware removal not an advertising site

I fix computers for a living.
I don't know if that makes a difference, if you don't feel right answering the question because I get paid for it, let me know.

And Hard Light Productions is a FreeSpace2 Modding community that I am a member of. Let me know if I have to remove it anyways.

I'm sorry but this forum is for helping home users clean malware off there systems, we don't offer free help for someone who takes that info and turns around and charges a fee to a customer to fix there system. We also don't allow advertising on our site.

Thanks ken

Do you know of any forum where repair techs can exchange knowledge on Malware removal? I used to get help here before I started my own business and you guys were helpful but now that I'm charging for services I'm going to have to find another resource if I actually want to ask questions. Thanks.

Oh, and I will remove the link to the FreeSpace 2 modding community at Hard Light Productions in my signature, I didn't know you weren't allowed to advertise things that were free.

I do charge to remove virii and / or spyware and I did successfully remove PC Antivirus 2010 from the customer's computer

For those who may be interested in actually fixing this; ( I will post back if it is successful)

Upon further review of the HJT log I will be removing:

Edit
Removed as per forum FAQ.

Normally I do leave Spybot Search and Destroy installed on the customer's computer if it was a help in removing their problem. MBAM + AVG Free take it today with a little (ok, a lot) of assistance from me. Maybe they will purchase the full version.

EDIT: Can someone remove the previous post as editing posts is not allowed and I forgot the code tags? Thanks

Thanks ken

Do you know of any forum where repair techs can exchange knowledge on Malware removal? I used to get help here before I started my own business and you guys were helpful but now that I'm charging for services I'm going to have to find another resource if I actually want to ask questions. Thanks.

Oh, and I will remove the link to the FreeSpace 2 modding community at Hard Light Productions in my signature, I didn't know you weren't allowed to advertise things that were free.

I do charge to remove virii and / or spyware and I did successfully remove PC Antivirus 2010 from the customer's computer

For those who may be interested in actually fixing this; ( I will post back if it is successful)

Upon further review of the HJT log I will be removing:

Edit
Removed as per forum FAQ ;)

Hi,

The only thing I can suggest is to read the forums, but remember all systems and all infections are different and what one tool can do to clean an infection the same tool can disable a system.

What I posted earlier still stands, this forum is set up for helping home users, we don't help on corporate computers as this can open up a bag of worms legally, we suggest they contact there IT Department for help, and we don't help someone clean another persons computer for pay.

Thanks for being up front with me about it.

Take care,

Ken