Hijacklog (Help)

[Sonar]

I need a little help on what to remove of this log.

My friend is getting none stop pop ups using IE (random pop ups from all over the place).

It isnt a browser problem as they still come with Firefox.

Ive ran malware bytes it found like 250 things and cleaned them.

ccleaner - (for cookies and registry)

Hes currently running ESS. Found trojan downloader swizzor.nbk trojan

Host file Is clean.

Ran msn virus remover. Found and cleaned ICERAT.

System Restore is turned off.

Scaned with latest Tuneup. nothing to be fixed or done with any of those progs.

Scaned with Trojan Remover.

Scanned with Macafee Stinger.

I am updating the log as i remove things my self through remote (but im leaving some things as I don't know what they are)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:07:32, on 20/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\pedro\Desktop\progs\HiJackThis_v202.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrialReset] C:\WINDOWS\regx32.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230406978136
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242835941687
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1242836383839&h=d85cfb4fafd1bbaa11781e5184ec8755/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 4183 bytes

This is one of the pop ups (opens as an IE Page)

server error in "/" applicaton
----------

Request timed out. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Web.HttpException: Request timed out.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 

[HttpException (0x80004005): Request timed out.]

--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

[Toshiro]

RUn Hijackthis.. Do a scan..

Mark these:

O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt

O4 - HKLM\..\Run: [Amok Mode Dupe Platform] C:\Documents and Settings\All Users\Application Data\Hold Trust Amok Mode\WMA NURB.exe

Fix Checked.

How are the probs now?

[Anteus]

RUn Hijackthis.. Do a scan..

Mark these:

O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt

O4 - HKLM\..\Run: [Amok Mode Dupe Platform] C:\Documents and Settings\All Users\Application Data\Hold Trust Amok Mode\WMA NURB.exe

Fix Checked.

How are the probs now?

Seems to be all from the log what I can tell

Btw very much alike computer specs :)

I have a E6400 @ 3.0 Ghz, Gigabyte 4850 512 MB, ASUS P5K (Crossfire that's not included in the model name) also I got 2GB 1066Mhz.

[Sonar]

ok still pop ups

Hes just doing a reboot then ill get a new log.

The second user account had bits on there (backed up documents) removed the account and remade the second account.

EDIT:

I gone through evrythingggggggggggggggg its puzzling

If all is done above would people recommend to backup and then format?

[Anteus]

Hmm http://www.techsupportforum.com/687364-post5.html

EDIT: Try also ComboFix before formating.

[Sonar]

New log in front page.

Combo fix is the last thing ill get him to do, as that could be a format if it messes things up.

I took away about 30 things of the log, but dunno about the rest ;p

Edit: I think the popups have gone as well from the new log (and hitting the second account)

my question is, why wouldnt the admin account clean out the second user accounts junk?

[Toshiro]

Log is Clean :)

[Marik]

does he actually use that secondary user account?

if not, he should disable it

[Sonar]

does he actually use that secondary user account?

if not, he should disable it

Its his sistas account or a friends, most of the junk was from downloading. but i would of got rid as well.

i think all is good now "hopefully" no pop ups for the past 15-20 mins.

[Marik]

if the popup keep showing up, then use winpatrol...maybe it will sniff out the app, or thing that executes itself every time.

[Toshiro]

if the popup keep showing up, then use winpatrol...maybe it will sniff out the app, or thing that executes itself every time.

MalwareBytes' should find it to.. Did you do a second scan?

[Sonar]

everything is ok done and dusted.

my question is, why wouldn't the admin account clean out the second user accounts junk? when the admin "i though" could see evrything on another account.

[Bizarre™]

The Admin's power can be rendered useless if a user encrypts / modifies advanced security settings / password-protects his / her account.

[Sonar]

The Admin's power can be rendered useless if a user encrypts / modifies advanced security settings / password-protects his / her account.

ah ha that's the reason then as the second account had been password.

Thanks for the help.

Had no problems so far, both user accounts seem to be clean (for now) awaiting the next bug he gets lol

[BBs]

If some thing happens again then try this:

http://gsi.kaspersky.fr/index.php?&hl=en

Download it and let the app create an log after the log is created go on the page again and upload it....

You will see every information about your pc it makes a deep scan log so you can see what dangerous apps,services.... are on your computer!!

This is way better than hijackthis!

[Sonar]

If some thing happens again then try this:

http://gsi.kaspersky.fr/index.php?&hl=en

Download it and let the app create an log after the log is created go on the page again and upload it....

You will see every information about your pc it makes a deep scan log so you can see what dangerous apps,services.... are on your computer!!

This is way better than hijackthis!

Bookmarked - thanks