Solved Browser & google hijack and AV/Malware disabled

Highlight and copy the contents of the code box below.

Code:

reg query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s >peek.txt
start notepad peek.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and peek.txt will open.

In peek.txt find the entry shown below.

ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Boss.BOSS

Just above it, I need the entire path of the key it's listed under, similar to below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1645522239-152049171-1343024091-1012

 

heres the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-917563655-598665437-3809949608-1006
Cheers

 

OK, before going any further I need to know a couple more things.

1. Are you able to logon to any of the other accounts, preferably one with Administrative rights?
2. From that account, can you access both the \Documents and Settings\Boss and \Documents and Settings\Boss.BOSS folders?

 

Yes to both

 

Great!

Highlight and copy the contents of the code box below.

Code:

reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-917563655-598665437-3809949608-1006" /v ProfileImagePath /t REG_EXPAND_SZ /d  "% "SystemDrive "%\Documents and Settings\Boss" /f
reg query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-917563655-598665437-3809949608-1006" >peek.txt
start notepad peek.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and peek.txt will open. Post it's contents here.

Do not try to log on or off your account until further notice!

I also need to know, is the Boss folder named exactly that - Boss

 

So should I be logged in as 'Boss' or another admin account when I do this? And can I presume it's OK to switch users as long as the boss account stays logged in?
Heres the filepath for the folder in question:
C:\Documents and Settings\Boss
To clarify, when I log in as 'Boss' I actually get 'BOSS.Boss' docs and settings.
Thanks

 

You can be logged in on your account (Boss.BOSS)
There should be no other users logged on
No user switching should be used
I fully understand what profile is accessed when you logon, and what profile you want accessed instead.
Follow my instructions to the letter and you'll get there.

 

here we go

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-917563655-598665437-3809949608-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Boss

 

Great!

First log off your account. Do not switch users ....... log off.
Logon to the other account from which you have access to the Boss folders.
Navigate to Documents and Settings\Boss.BOSS
On the menu, click Tools>Folder Options
Select the View tab
Scroll down and select 'Show hidden files and folders'
Clear the checkbox 'Hide extensions for known file types'
Clear the checkbox 'Hide protected operating system files (Recommended)'
Answer yes to the prompt
Click OK

Right click the 1 kb file named ntuser.dat.log and select copy
Navigate to Documents and Settings\Boss, right click the 1 kb file named ntuser.dat.log and select Rename
Name it oldntuser.dat.log
Right click a blank space and select paste
Double click ntuser.dat.log and locate the string a n d S e t t i n g s \Boss.BOSS\ N T U S E R . D A T
Change the string to a n d S e t t i n g s \Boss\ N T U S E R . D A T
Close and save the changes

Now log off and log on to Boss

 

Hi
followed the instructions and now have a new folder in docs and settings for a Boss.BOSS.000, and no change to the settings I was experiencing with the original 'boss' login. As I was mainly concerned about Outlook and the mydocs folders, I've re-created my outlook settings from scratch and grabbed the applicable outlook.pst folder into a new login with a different name. I've also copied across my favorites and the mydocs folder. I haven't deleted the 3 'boss' folders in mydocs yet, but I have deleted the boss user login, so there's probably not much point in keeping them there. I can see all my mail and other files now under the new login.
Is there anything I need to 'clean up'? My PC seems to be behaving itself, although a bit slower with all the new preventatives I've installed... wouldn't want to do this too often!
Thanks

 

Glad to hear you've sorted things to suit you.

You can delete the C:\rsit folder.
We need to uninstall properly. To do so, download a fresh copy of ComboFix and save it to your desktop.

Highlight and copy the bolded command below.

"%userprofile%\desktop\combofix.exe" /u

Click Start>Run and paste the command in the Run dialog, then hit Enter. ComboFix will run and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

Yes, you can also delete those Boss folders. Provided everything else is OK now, I'd say we're done here.

 

By the way, thank you for your help on this one. I've spent the last week or so trialling various bits of software to help prevent this kind of shite from happening...
Cheers!

 

Happy to help. Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!