X-bit labs Community

[diastole87]

hello once again my fellow x-bitters

i come to you now with a problem i am having with a friend of mines HP computer. he had an obvious virus so i brought it home to work on.

the virus program was called "file recovery" when you logged in to the one and only user account it poped up and started "scanning" the pc and found lots of hard disk errors, broken sectors, bad files and what not, along with a mass amount of pop-up warning messages. the start menu folders were all still their but when you clicked on them they were empty

so i booted into safe mode from msconfig boot tab and started going to town. first with malware bytes then kaspersky 2013 trial.

when i installed kaspersky it found the old norton that was on the machine at one point but the license was no longer valid so i removed it. after several scans from malware and kasp. went back in to normal boot and loged in to his user account. to find that the pop ups and "file recovery" were in fact gone, however all of his start menu items were still gone.

thinking ill come back to that i tried to start windows update and got a message saying windows can not update because the service is unavailable (im paraphrasing that error) so i googled it and came up with some solutions that involved going to a folder and deleting a .log file and restarting, that did not work. i then went to the services.msc and looked for 2 times, one was windows update, can not remember the other, which dosnt matter because neither were there. my last attempt was typing 4 lines of code in to an elevated command prompt, the first line did not work so i stopped with that route and decided to try a windows repair. but guess what no luck their either.

so here i am about thinking about just saving all of his data on my external and doing a complete re-install. but first i thought i would check with you fine folks to see if you have any suggestions.


thanks in advance

[Fuzz]

I'd run system restore. I've had good luck reversing pretty much the same problem as that virus. Keep in mind this will undo any of the other work you have done, but maybe you can find a restore point that works well, at least to start with. System restores have become my go-to for bad systems these days.

[diastole87]

ya i would have done that if sys reatore was turned on lol

[Fuzz]

oh, well that there presents a problem. who turns system restore off, anyway?

you could try sfc /scannow to repair system files.

to get Windows update working, copy and paste this in a text, file, change the extension to .bat and run.

Code: Select all

********This will reset automatic updates***********
net stop "Automatic Updates"
del /f /s /q %windir%\SoftwareDistribution\*.*
net start "Automatic Updates"
wuauclt.exe /detectnow

*******This will repair automatic updates********
net stop bits
net stop /s wuauserv
%windir%\system32\regsvr32.exe /s %windir%\system32\atl.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\jscript.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\msxml3.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\softpub.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuapi.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuaueng.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuaueng1.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wucltui.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wups.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuweb.dll
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow

******This will remove and reinstall automatic updates*******
net stop bits
net stop /s wuauserv
regsvr32 /u wuaueng.dll /s
del /f /s /q %windir%\SoftwareDistribution\*.*
del /f /s /q %windir%\windowsupdate.log
regsvr32 wuaueng.dll /s
net start bits
net start wuauserv
wuauclt.exe /resetauthorization /detectnow

******This was an addtional fix that I found******
echo off
c:
net stop wuauserv
regsvr32 /u wuapi.dll /s
regsvr32 /u wups.dll /s
regsvr32 /u wuaueng.dll /s
regsvr32 /u wuaueng1.dll /s
regsvr32 /u wucltui.dll /s
regsvr32 /u wuweb.dll /s
regsvr32 /u MSXML3.dll /s
regsvr32 /u qmgr.dll /s
regsvr32 /u qmgrprxy.dll /s
regsvr32 /u jscript.dll /s
regsvr32 /u wups2.dll /s
regsvr32 /u atl.dll /s
regsvr32 wuapi.dll /s
regsvr32 wups.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wucltui.dll /s
regsvr32 wuweb.dll /s
regsvr32 MSXML3.dll /s
regsvr32 qmgr.dll /s
regsvr32 qmgrprxy.dll /s
regsvr32 jscript.dll /s
regsvr32 wups2.dll /s
regsvr32 atl.dll /s

cd %windir%
ren SoftwareDistribution SoftDist-old
net start wuauserv
exit

No guarantees on that one... I didn't write it but it has worked every time for me. This is XP right? Haven't tried this on Win 7. That being said, it may be better to save data and reinstall. Make sure you have a copy of license keys, you can get them using:
http://www.nirsoft.net/utils/product_cd_key_viewer.html

May not working for newer versions of Adobe.

[Hammer_Time]

The Penguinologist has given you some sage advice above, but you might also try this as well:

Go into Safe mode ( with networking ) in Windows

dl and install Hijack This:

http://sourceforge.net/projects/hjt/

run it and remove any suspicious entries that look like malware/trojans/spyware , if not sure just google the executable name to see if it is safe or malicious...

then dl and install this excellent free a/v sw:

http://download.cnet.com/Avast-Free-Ant ... 19223.html

After install just reboot and it will automatically run a boot level scan before Windows loads to look for infections...

If that still does not fix the problem, then just backup his data ( partition or to writable disc ) , and reinstall windows fresh to the primary OS partition as you mentioned already in your post...

Good luck!!

[Stupify]

i turn off system restore - no need to have something hog up space and do backups hogging up system resources. if i ever run into that situation that i would need something of that sort, i am sure that I will be better off with a full system format by then as that provides me with an opportunity to install newer version of the software i use.

actually i have now gone and taken a smarter/lazy way: System Image #1: install OS and configure it to my likings; System Image #2: install rest of the software that I feel must have and configure. So I can use those images if and when $hit hits the fan.

Going back to the topic:

When a system is so badly screwed up, you should not even second guess what needs to be done. It would be a lot less time wasted doing a full format and copy back then trying out 1000 variations to fix such a system.

[Fuzz]

System restore doesn't take much space, doesn't hog resources (it just takes a moment to create a restore point whenever you install anything) and restores in about 5 minutes. It is by far the easiest way to recover a damaged system from a crapped install.

[DIREWOLF75]

who turns system restore off, anyway?

Me? Took up a dastardly big chunk of HDD space. And kept annoying me as heck.

the virus program was called "file recovery" when you logged in to the one and only user account it poped up and started "scanning" the pc and found lots of hard disk errors, broken sectors, bad files and what not, along with a mass amount of pop-up warning messages. the start menu folders were all still their but when you clicked on them they were empty

Oh lovely. Seems to be the same as the one that wormed onto my machine by using the *autoload and open* setting for .pdf files in the browser to bypass the firewall. Firewall caught it when it executed, but the damn thing still managed to delete about half the files in the start menu directories.

After getting rid of what little remained of the virus, I simply checked where stuff was missing and copied the files from my other computer as much as possible.

[diastole87]

its win 7 fuzz should i still try that .bin?

thanks to everyone for the help.
hammer avast did not run a boot level scan, how can i start that manually?

here is hijack file i looked through it nothing jumped out at me

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:42:05 AM, on 10/4/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Safe mode with network support

Running processes:
C:\Users\Administrator\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files (x86)\FlashGet\jccatch.dll
O2 - BHO: AMD SteadyVideo BHO - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - c:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll
O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\OnlineBanking\online_banking_bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files (x86)\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - (no file)
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files (x86)\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: &Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files (x86)\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A995DD9-7AF6-4D6B-9A6D-BCBC9D26C22B}: NameServer = 10.133.20.11 10.132.20.11
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll
O18 - Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: CalendarSynchService - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
O23 - Service: Cricket Broadband EC1705. OUC (Cricket Broadband EC1705. RunOuc) - Unknown owner - C:\Program Files (x86)\Cricket Broadband EC1705\UpdateDog\ouc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Auto (HPAuto) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
O23 - Service: HP Client Services (HPClientSvc) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HWDeviceService64.exe - Unknown owner - C:\ProgramData\DatacardService\HWDeviceService64.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mobile Broadband Experience Client - Unknown owner - C:\Program Files (x86)\Carrier IQ\MBBEClient_x86\Mobile Broadband Experience Client\MBBEClient.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files (x86)\PDF Complete\pdfsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12386 bytes

[Sauron_Daz]

Many files missing.. Why not just wipe the disk and reinstall?

[Fuzz]

ya, looks like a reinstall is your best bet. My script isn't going to do much with all those files missing. sfc /scannow might be worth a shot if you are desperate, because it restores system files.

[Hammer_Time]

From the HijackThis log file ( thank you for posting it, really helps ) , it appears you still have Kaspersky a/v installed...should be uninstalled cuz a/v programs conflict with each other in general...

Uninstall Kaspersky and Avast, reboot , install Avast again by itself, and reboot. Launch Avast interface ( right click on the orange "a" Avast Icon in your Systemtray and select "Open Avast User Interface" ), then click on Update and make sure it is updated completely ( program and Definition files ), then click on "Scan" and select "Full System Scan" and let it go, will take about an hour or so roughly to complete...if that does not find any malware/virus then I think you should give up and do a fresh install of Windows at that point...

I don't see any obvious virus files either ( could have system files infected of course ) , but nothing that is "obvious" here.

You could try various registry cleaner utilities and so forth, but looking at the amount of "junk" he has installed on his computer, you would be doing him a huge favour by just doing a fresh install of Windows at this point ( much faster boot time then of course ). Then he ( or you ) can just install what he "needs" and hopefully cut down on some of the extraneous stuff listed in that log file you posted.

I think that since you will probably wind up doing a fresh install of Windows in the end anyways, might as well quit banging head against wall and get it over with now, easier on you and him in the end. Good luck!!

[diastole87]

ill try the sfc scan, if not ill just re-install.

does HP windows key's require a special disk or version of windows like dell's do?

[veli05]

System restore doesn't take much space, doesn't hog resources (it just takes a moment to create a restore point whenever you install anything) and restores in about 5 minutes. It is by far the easiest way to recover a damaged system from a crapped install.

I agree

[veli05]

ill try the sfc scan, if not ill just re-install.

does HP windows key's require a special disk or version of windows like dell's do?

If it is a factory configured box it "might" have the license sticker affixed to the outside of the case somewhere. Otherwise you are going to need to use/get a different key from somewhere else. Win7 licenses are 100 bucks on the egg both 64 bit and 32 bit versions.

http://www.newegg.com/Product/Product.aspx?Item=N82E16832116986

[Stupify]

System restore doesn't take much space, doesn't hog resources (it just takes a moment to create a restore point whenever you install anything) and restores in about 5 minutes. It is by far the easiest way to recover a damaged system from a crapped install.

I agree

maybe but i still prefer my version - System image at two checkpoints - a) fresh install with basic configurations done and b) once all the necessary software have been installed and configured to my likings. No need to second guess where hell broke lose.

[Sauron_Daz]

Also no need to look up the key that way.

[Celt]

If it is HP then there will be a recovery partition on the disk, and you would have been given the option of creating recovery CDs . . .

[Sauron_Daz]

What if he didn't?

[Hammer_Time]

He should still be able to create the recovery discs, it doesn't sound like the Windows is so mangled that it would prevent that from being possible ( dunno till he trys it though ), worth a shot.

This is recommended because the hp system recovery process includes ALL the correct hp drivers for that particular laptop, so it is relatively painless to do a fresh install of Windows, all drivers will be working immediately. Then just have to install apps and tweak settings after of course, hopefully cutting out a lot of crap that showed up in the HijackThis log...get rid of some of that bloatware on startup, will make a speed difference on bootup...never hurts...