So yeah, long story short, a friend of mine brought me his laptop after he suspected something was wrong. When I asked him what had happened he told me he simply clicked a link.
However, as soon as I opened it up programs started to install themselves, default search engines / homepages were changed and the dick usage hanged at 90%. I also noticed that he had a program called Alcohol 120% open which had a disk mounted, so I think he tried to install an illegal game and it borked up his system.
It's a Dell Inspiron 5547 running Windows 8.1.
I have already laid down the groundwork on cleaning this machine but I think that I'm missing some things, so bear with me;
- First I removed all the programs that had installed themselves using REVO Uninstaller (which also deletes registry keys).
- I then did a run with MBAM and Windows Defender (see attached MBAM log MBAM Scan 28-2-15.txt 78.67KB 6 downloads ).
- Seeing quite a few things in the MBAM log I decided to run Rkill before anything else (see attached log Rkill.txt 3.03KB 3 downloads ).
- After running Rkill I ran MBAR, GMER and RogueKiller. MBAR pointed out two rootkits, which it said it removed, I can't find the log, but here are the GMER and RogueKiller logs - GMER log.txt 9.31KB 3 downloads and RKreport_SCN_03012015_025853.log 10.67KB 4 downloads
- After this I ran AnsMBR which kind of got funky (read: I couldn't download the Avast definitions, and at the same time ESET Online Scanner gave me an "Unexpected event 200"), so I don't know if it ran correctly, but it made this log - aswMBR.txt 1.91KB 4 downloads
- And after that I kind of got baffled at how ESET gave me the error, decided to google it, only to find out that the internet had stopped working (my own laptop still worked, so did my phone, but the infected machine didn't). Luckily I have an USB with quite a few tools on there which I update regularly from my own laptop, and one of them was Farbar, which produced these logs - FRST.txt 64.15KB 8 downloads and Addition.txt 33.44KB 5 downloads
Alright, so to shoot down the obvious things that might get noticed;
- He has a pirated Adobe SC6 suite and some CC programs. I confronted him with this but he told me that he needs those for his uni, so he can't delete them.
- He uses both FF and Chrome, and both of those have onmibox stuck as their default search engine. He told me that he uses Google so I guess that the infection changed it. I can't, however, for the life of me change them back.
- His drive is partitioned in two parts, C and D. He uses C for all sorts of stuff and D for uni / work / minsk.
- Ofcourse he didn't make any backups or anything, but there are a few restore points (most of which I made today).
Oh, I also noticed that this laptop doesn't have a CD/DVD drive, so I can't simply reinstall the OS (which, if my hunch that this is a rootkit is correct, might be the better idea) or do anything that requires a CD or DVD.
Any help would be highly appreciated folks!