My friend's computer has been hijacked!

[The Cross-Eyed Bear]

Hi,

This is my first post. I'm trying to help a friend/neighbour. A few evenings ago she brought her laptop to me saying she couldn't connect to the internet. She has XP installed on a seven(?)-year-old computer. After starting her computer, Windows said that it could find no program. She said that she had had one of some kind (she couldn't remember what) but now it was nowhere to be seen, at least not in the system tray.

I had the Kaspersky Virus Removal Tool on my USB stick and after running it (which took a couple of hours) it found 503 infections, mostly trojans. I got rid of those and ran Antirootkit, which found 5 infections. I noticed that she only had the Windows Firewall so before she tried connecting to the internet I installed the Comodo firewall. I also installed Avira and ran a scan, which found another 80 or so infections. I then left the computer with her for reasons too complicated to go into.

Two days later she was back because she still couldn't connect to the internet. Avira didn't seem to be loading either (or maybe she had uninstalled it in trying to find out what was wrong?). We decided to try restoring the system to an earlier configuration that might at least allow us to connect to the internet, even if the PC was still infected, but System Restore was unable to finish. I remembered then that one of the scans I had run had found several viruses in the restore points.

I was hoping that she had Dell PC Restore because her computer is a Dell, but it isn't installed on her computer and she has no idea where the CDs are (somewhere back in Australia, she says).

I put several software programs that I happened to have on my USB stick onto her computer and installed one or two of them. Several of them are a month or two old so maybe their virus signatures are a little out of date. I tried running HijackThis but it wouldn't load. It was the same story with several other monitoring programs (which I probably couldn't have read anyway. I'm still a relative beginner).

On startup a message would come up saying that RUND(something).dll couldn't start. I looked it up and found this was a virus. Looking in msconfig I found I it in the startup menu. There I also found yt8a, which also turned out to be a virus. It kept starting up, even when I disabled it and tried to delete it with msconfig CleanUp. It just wouldn't go away! Finally, by running a trial version of Norton 2009 antivirus in safemode I think I have managed to get rid of it. However, Norton later didn't want to start in normal mode. Of course, I'm not able to connect to the internet so can't update any of these programs and I'd rather not keep downloading programs to my USB stick and putting them on my friend's computer if it can be avoided. Even just plugging my USB stick into my friend's computer got me two infections (that Kaspersky was able to get rid of).

Finally after reading some threads on this site, I found that by changing HijackThis.exe to sniper.exe I might be able to run HijackThis. I did and ran a scan. I also ran SuperAntiSpyware as you suggested with the correct boxes ticked and it found nothing. I then ran Malwarebytes. It found 121 infections. I re-scanned after reboot and the scan was clean. I then re-ran HijackThis because it seemed to have to be in that order. Before this I ran Ccleaner and ATFcleaner. Below are the SAS scan, the Malwarebytes scan and the HijackThis scan. Please help!

Sorry, too much info. I'm posting the logs in another message.

[The Cross-Eyed Bear]

SAS and HJT logs to the above message. MWB log is attached because too big:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/08/2008 at 04:16 AM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type       : Complete Scan
Total Scan Time : 01:12:28

Memory items scanned      : 341
Memory threats detected   : 0
Registry items scanned    : 4318
Registry threats detected : 0
File items scanned        : 44975
File threats detected     : 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:37 PM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] "C:\Program Files\Dell\AccessDirect\dadapp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: HBmhly.dll,HBASKTAO.dll Æ×ÄÊÀ‹ÁÉÉ kandawf.dll ÈÌ×ÒßËÑ‹ÁÉÉ ÝÖÌÖÆÊ‹ÁÉÉ ×ÀÝÉÏÀÍ‹ÁÉÉ docyanx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: gvlcgcko.dll - {D1CC9DC6-F0BC-40fc-9552-E497B05E05B8} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: is-9RETM - Kaspersky Lab - (no file)
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5136 bytes


[Saving space - attachment deleted by admin]

[The Cross-Eyed Bear]

Hi,

If anyone was going to respond don't worry, I've now resolved it.

[mroilfield]

Can you tell us what you did to resolve it?  I would also post some clean scans and let the specialist here look at them just to be sure every thing is OK.

[The Cross-Eyed Bear]

I have no idea what it was that finally did the trick. I disabled 'Restore points' and then re-enabled it so as to get rid of any viruses hiding there. I could see one virus on the HijackThis scan and deleted it directly from HijackThis. I wasn't sure if this was a great idea but my friend couldn't wait a whole weekend for better advice. At some stage the Windows warning showing that we had no antivirus software disappeared and Norton re-appeared in the systems tray. Suddenly we could connect to the internet again.

However, an hour later the Windows antivirus warning was back and Norton was no longer there. To be fair to Norton, I had installed it while not connected to the internet and while the computer was badly infected. It had warned me at the time that it wasn't properly installed but I ploughed on regardless.

I uninstalled Norton and installed Avira and a scan found the trojan that I had tried to delete from HijackThis:

AppInit_DLLs: HBmhly.dll,HBASKTAO.dll Æ×ÄÊÀ‹ÁÉÉ kandawf.dll ÈÌ×ÒßËÑ‹ÁÉÉ ÝÖÌÖÆÊ‹ÁÉÉ ×ÀÝÉÏÀÍ‹ÁÉÉ docyanx.dll

Different antimalware programs label it differently and I can't remember what Avira called it but other aliases are:

Infostealer.Gampass [Symantec]
Trojan-GameThief.Win32.OnLineGames.tqvt [Kaspersky Lab]
Mal/Dropper-O, Mal/Mdrop-B, Mal/Behav-214, Mal/Behav-106, Mal/Dropper-Y [Sophos]

Anyway, after a reboot, a scan that showed Avira had indeed managed to get rid of it and it hasn't reappeared since.

I have now installed Comodo firewall to replace the Windows firewall that clearly wasn't doing its job. I have also installed Sandboxie and changed the browser to Firefox (while keeping IE on there in case she needs it someday).

If somebody tells me which scans I'm supposed to run to make sure the computer is now really clean I will gladly run them, that is, if my friend gives me access to her computer again now that it safely back in her hands and 'apparently' virus free.

Just as a side issue, when I came to use my USB memory stick, which had been in and out of my friend's infected computer like...I don't know what, it kept asking me which program I wanted to open my E Drive with and none of the options would do. I simply couldn't access anything on my memory pen, despite the fact that Kaspersky scans, Malwarebytes scans and Spysweeper scans said it was clean. Finally I read the following article: (...Sorry. I'm at work and can't find the article. Will find it and post it when I get home).

This cured my USB memory problem.

[The Cross-Eyed Bear]

Below is the link to the article that cleared my problem with my USB memory stick. Incidentally, my USB stick wouldn't open either when connected to my own computer, or to my friend's.

http://www.mydigitallife.info/2007/04/19/unable-to-open-hard-or-usb-flash-drive-with-windows-script-host-cannot-find-script-file-autorunvbs-error/

[The Cross-Eyed Bear]

As mroilfield asked me to post some scans, I have done so below. I have just run them. The first is HijackThis and the second Malwarebytes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:59 PM, on 11/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Secunia\PSI (RC4)\psi.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] "C:\Program Files\Dell\AccessDirect\dadapp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5577 bytes


Malwarebytes' Anti-Malware 1.30
Database version: 1379
Windows 5.1.2600 Service Pack 2

11/10/2008 9:43:44 PM
mbam-log-2008-11-10 (21-43-44).txt

Scan type: Quick Scan
Objects scanned: 46041
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3fdeb171-8f86-0004-0001-69b8db553683} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3fdeb171-8f86-0004-0001-69b8db553683} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[The Cross-Eyed Bear]

Hi,

How do I get rid of this?:  O20 - AppInit_DLLs:

...and is there anyone out there? I feel like I'm posting into the void.

[Computer Hope Admin]

The Cross-Eyed Bear I'd suggest creating a new post and you'll want to also post your HiJackThis log.