system being overtaken

[JackvD]

Hi, jack here, or rather his friend Diana. Jack's english really sucks big time
For several days now his comp has been acting up. After me checking it, it appears that he has hijacking warnings all being logged , a keylogger a browser hijack and so on.. I tried as much as possible to get rid of it but i aint that good yet, not by long shot. I even downloaded stuff here to get rid of it all..please can you help him out?
I told him he could try in his best english and after in dutch. He doesn't even bother if someone would help out by actually getting in to his comp. He's kinda desperate and oh so pissed off. lol..I would..You can answer here or send him mail at jackvandorst81@hotmail.com
I would very much apreciate any effort in helping him..so thank you in advance,
Diana.

[DjM]

Well I might as well start before somebody else does:

1) What OS are we dealing with?
2) What patch level is he at?
3) What AV and Spyware programs have been run?
4) What were the results? (names of things found)
5) Has he got back-ups?

More info is required for people here to start helping you/him out.

By the way, there are a lot of good people here that speak Dutch so if he has to communicate in Dutch, he will likely still get help.

Cheers:

[JackvD]

Thank you for responding this quick
The thing is i just now checked and everything dissapeared, i wanted to check his log book too and i can't even get in to it...although what i can recall were warnings like: browser hijack; an application trying to get info about creditcards no. passwords and so on. his system breaks down all the time, he gets pages he never requested. i have to restart the comp to get more info on the warnings..oh man it is going to be a long night

[DjM]

OK Darl'in, take a deep breath and calm down. Please answer some or all of the questions I asked above and I am sure we (the community) will be able to help you out. Remember, it's just a computer, you can always build a new one.

Cheers:

[JackvD]

"Takes a deep breath". Okay will do.
What he used: spyware removers; browser hijack recovery; keylogger stopper ( i had to disable it because i couldn't get anywhere); spyware begone, adware. he has no backups (aaahh) The warnings, system overtake, UNDIS user mode 1/0 Driver (file ndisuiwo.sys.
Application Hijacking has been detected
The application: C:\WINDOWS.0\system32\smss.exe try to launch another application: C:\WINDOWS.0\system32\wbem\wmiprvse.exe

[zipc0de]

The application hijacking could be something big to nothing.
www.neuber.com/taskmanager/process/wmiprvse.exe.html

This explains a little more about the file and if you scroll down to the comments, other people have posted about their findings after looking into files some worms manipulate.

[JackvD]

Okay, zipc0de
Im trying to recover some data, to post here. Settings seemed to be altered ( and it wasn't me) and it might take a while before i can post more specific info. Thank you too

[foxyloxley]

If you could follow the instructions here
then we will, at least, have a level playing field.

Just run the basic tools [in SAFE mode]
then run HJT, and save the results in a .txt file and post 'em here.

as stated prior, if Jack or yourself feel better 'speaking' in Dutch, then we Do have several members from that region, who will be able to help too .............

Also the questions from DjM
with some extra's too

OS
patch level
internet connection
amount of 'surf' time [exposure]
level of competance [yours AND Jack's]
time scale since this has been noticable
scale of potential loss [bank account / P2P / CC # / Jokes / thesis etc
your security routine
age of PC

Pax

and don't worry about the long nights ...............







that's what busted PC's were MADE for

[JackvD]

Name the worms and jack has them in this comp..i need a break, been sitting in front of this comp for about 5 hours now, the good news he's back online and protected.. although. I will come online later with my own comp, to give you the requested details. You guys are the greatest and funny too , thank you so much and talk to you later. DjM, you have a great weekend and we'll catch up after the weekend. bye for now, Diana

[foxyloxley]

If it's too much, and the data on the PC aint too important

clean install, on a new partition
start afresh
don't get too attached to a screen